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CN ■ Abstract 



Forty years ago, Wiesner pointed out that quantum mechanics raises the striking possibihty 
*vj ' of money that cannot be counterfeited according to the laws of physics. We propose the first 

quantum money scheme that is 

(1) public-key — meaning that anyone can verify a banknote as genuine, not only the bank 
^O ■ that printed it, and 

(2) cryptographically secure, under a "classical" hardness assumption that has nothing to do 
with quantum money. 

Our scheme is based on hidden subspaces, encoded as the zero-sets of random multivariate 
polynomials. A main technical advance is to show that the "black-box" version of our scheme, 
where the polynomials are replaced by classical oracles, is unconditionally secure. Previously, 
such a result had only been known relative to a quantum oracle (and even there, the proof was 
f^ ' never published). 

C^ , Even in Wiesner's original setting — quantum money that can only be verified by the bank — 

^ , ' we are able to use our techniques to patch a major security hole in Wiesner's scheme. We 

give the first private-key quantum money scheme that allows unlimited verifications and that 
remains unconditionally secure, even if the counterfeiter can interact adaptively with the bank. 
C^ , Our money scheme is simpler than previous public-key quantum money schemes, including 

a knot-based scheme of Farhi et al. The verifier needs to perform only two tests, one in the 
standard basis and one in the Hadamard basis — matching the original intuition for quantum 
|~^ ' money, based on the existence of complementary observables. 

^^ , Our security proofs use a new variant of Ambainis's quantum adversary method, and several 

P^ ' other tools that might be of independent interest. 
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1 Introduction 

"Information wants to be free" — this slogan expresses the idea that classical bits, unlike traditional 
economic goods, can be copied an unlimited number of times. The copyability of classical infor- 
mation is one of the foundations of the digital economy, but it is also a nuisance to governments, 
publishers, software companies, and others who wish to prevent copying. Today, essentially all 
electronic commerce involves a trusted third party, such as a credit card company, to mediate trans- 
actions. Without such a third party entering at some stage, it is impossible to prevent electronic 
cash from being counterfeited, regardless of what cryptographic assumptions one makesj^ 

Famously, though, quantum bits do not "want to be free" in the same sense that classical bits 
do: in many respects, they behave more like gold, oil, or other traditional economic goods. Indeed, 
the No-Cloning Theorem, which is an immediate consequence of the linearity of quantum mechanics. 



^The recent Bitcoin system is an interesting illustration of this principle: it gets rid of the centralized third party, 
but still uses a "third party" distributed over the community of Bitcoin users. 



says that there is no physical procedure that takes as input an unknowiu quantum pure state | ij)) , 
and that produces as output two unentangled copies of \ip), or even a close approximation thereof. 
The No-Cloning Theorem is closely related to the uncertainty principle, which says that there exist 
"complementary" properties of a quantum state (for example, its position and momentum) that 
cannot both be measured to unlimited accuracyo 

1.1 The History of Quantum Money 

But can one actually exploit the No-Cloning Theorem to achieve classically-impossible crypto- 
graphic tasks? This question was first asked by Wiesner j41j . in a remarkable paper written 
around 1970 (but only published in 1983) that arguably founded quantum information science. In 
that paper, Wiesner proposed a scheme for quantum money that would be physically impossible to 
clone. In Wiesner's scheme, each "banknote" would consist of a classical serial number s, together 
with a quantum state \ij)s) consisting of n unentangled qubits, each one |0), |1), X \ or ' 1 
with equal probability. The issuing bank would maintain a giant database, which stored a classical 
description of \tps) for each serial number s. Whenever someone wanted to verify a banknote, he or 
she would take it back to the bank — whereupon the bank would use its knowledge of how \ij)s) was 
prepared to measure each qubit in the appropriate basis, and check that it got the correct outcomes. 
On the other hand, it can be proved |32j that someone who did not know the appropriate bases 
could copy the banknote with success probability at most (3/4)". 

Though historically revolutionary, Wiesner's money scheme suffered at least three drawbacks: 

(1) The "Verifiability Problem": The only entity that can verify a banknote is the bank that 
printed it. 

(2) The "Online Attack Problem": A counterfeiter able to submit banknotes for verification, 
and get them back afterward, can easily break Wiesner's scheme ([Ml [3]; see also Section [7]). 

(3) The "Giant Database Problem" : The bank needs to maintain a database with an entry 
for every banknote in circulation. 

In followup work in 1982, Bennett, Brassard, Breidbart, and Wiesner [3] (henceforth BBBW) 
at least showed how to eliminate the giant database problem: namely, by generating the state 
\il)s) = Wfkis)) using a pseudorandom function fk, with key k known only by the bank. Unlike 
Wiesner's original scheme, the BBBW scheme is no longer information-theoretically secure: a 
counterfeiter can recover k given exponential computation time. On the other hand, a counterfeiter 
cannot break the scheme in polynomial time, unless it can also distinguish /^ from a random 
function. 

These early ideas about quantum money inspired the field of quantum cryptography |13] . But 
strangely, the subject of quantum money itself lay dormant for more than two decades, even as 
interest in quantum computing exploded. However, the past few years have witnessed a "quantum 



^The adjective "unknown" is needed because, if we knew a classical description of a procedure to prepare |?/>), then 
of course we could run that procedure multiple times to prepare multiple copies. 

^Indeed, if we could copy \4>), then we could violate the uncertainty principle by measuring one observable (such 
as position) on some copies, and a complementary observable (such as momentum) on other copies. Conversely, if 
we could measure all the properties of j^) to unlimited accuracy, then we could use the measurement results to create 
additional copies of |V'). 



money renaissance." Some recent work has offered partial solutions to the verifiability problem. For 
example, Mosca and Stebila [33] suggested that the bank use a blind quantum computing protocol 
to offload the verification of banknotes to local merchants, while Gavinsky [24J (see also followup 
work by Molina et al. [32] and Pastawski et al. [36]) proposed a variant of Wiesner's scheme that 
requires only classical communication between the merchant and bank. 

However, most of the focus today is on a more ambitious goal: namely, creating what Aaronson 
[3] called public-key quantum money, or quantum money that anyone could authenticate, not just 
the bank that printed it. As with public-key cryptography in the 1970s, it is far from obvious a 
priori whether public-key quantum money is possible at all. Can a bank publish a description 
of a quantum circuit that lets people feasibly recognize a state {tp), but does not let them feasibly 
prepare or even copy {ip)? 

Aaronson [3] gave the first formal treatment of public-key quantum money, as well as related 
notions such as copy-protected quantum software. He proved that there exists a quantum oracle 
relative to which secure public-key quantum money is possible. Unfortunately, that result, though 
already involved, did not lead in any obvious way to an explicit (or "real- world" ) quantum money 
schemecl He raised as an open problem whether secure public-key quantum money is possible 
relative to a classical oracle. In the same paper, Aaronson also proposed an explicit scheme, based 
on random stabilizer states, but could not offer any evidence for its security. And indeed, the 
scheme was broken about a year afterward by Lutomirski et al. [31], using an algorithm for finding 
planted cliques in random graphs due to Alon, Krivelevich, and Sudakov [7J. 

Recently, Farhi et al. [23] took a completely different approach to public-key quantum money. 
They proposed a quantum money scheme based on knot theory, where each banknote is a super- 
position over exponentially-many oriented link diagrams. Within a given banknote, all the link 
diagrams L have the same Alexander polynomial p{L) (a certain knot invariant) jj This p{L), to- 
gether with a digital signature of p (L), serves as the banknote's "classical serial number." Besides 
the unusual mathematics employed, the work of Farhi et al. |23] (building on [31J) also introduced 
an idea that will play a major role in our work. That idea is to construct public- key quantum 
money schemes by composing two "simpler" ingredients: first, objects that we call mini-schemes; 
and second, classical digital signature schemes. 

The main disadvantage of the knot-based scheme, which it shares with every previous scheme, is 
that no one can say much about its security — other than that it has not yet been broken, and that 
various known counterfeiting strategies fail. Indeed, even characterizing which quantum states 
Farhi et al. 's verification procedure accepts remains a difficult open problem, on which progress 
seems likely to require major advances in knot theory! In other words, there might be states that 
look completely different from "legitimate banknotes," but are still accepted with high probability. 

In followup work, Lutomirski [SOJ proposed an "abstract" version of the knot scheme, which 
gets rid of the link diagrams and Alexander polynomials, and simply uses a classical oracle to 
achieve the same purposes. Lutomirski raised the challenge of proving that this oracle scheme is 
secure — in which case, it would have yielded the first public-key quantum money scheme that was 
proven secure relative to a classical oracle. Unfortunately, proving the security of Lutomirski's 



^Also, the proof of Aaronson's result never appeared — an inexcusable debt that this paper finally repays, with 
interest. 

^Instead of knots, Farhi et al. [23] could also have used, say, superpositions over n-vertex graphs having the same 
eigenvalue spectrum. But in that case, their scheme would have been breakable, the reason being that the graph 
isomorphism problem is easy for random graphs. By contrast, it is not known how to solve knot isomorphism 
efficiently, even with a quantum computer and even for random knots. 



scheme remains open, and seems hardO 

As alluded to earlier, there is already some research on ways to break quantum money schemes. 
Besides the papers by Lutomirski |29j and Lutomirski et al. |31j mentioned before, let us mention 
the beautiful work of Farhi et al. on quantum state restoration |22] . As we discuss in Section 
[71 quantum state restoration can be used to break many public-key quantum money schemes: 
roughly speaking, any scheme where the banknotes contain only limited entanglement, and where 
verification consists of a rank-1 projective measurement. This fact explains why our scheme, like 
the knot-based scheme of Farhi et al. [23], will require highly-entangled banknotes. 

1.2 The Challenge 

Work over the past few years has revealed a surprising richness in the quantum money problem — 
both in the ideas that have been used to construct public-key quantum money schemes, and in 
the ideas that have been used to break them. Of course, this record also underscores the need 
for caution! To whatever extent we can, we ought to hold quantum money schemes to modern 
cryptographic standards, and not be satisfied with "we tried to break it and failed." 

It is easy to see that, if public-key quantum money is possible, then it must rely on some 
computational assumption, in addition to the No-Cloning TheoremUl The best case would be 
to show that secure, public-key quantum money is possible, if (for example) there exist one-way 
functions resistant to quantum attack. Unfortunately, we seem a long way from showing anything of 
the kind. The basic problem is that uncloneability is a novel cryptographic requirement: something 
that would not even make sense in a classical context. Indeed, work by Farhi et al. j22j and 
Aaronson [3j has shown that it is sometimes possible to copy quantum banknotes, via attacks that 
do not even measure the banknotes in an attempt to learn a classical secret! Rather, these attacks 
simply perform some unitary transformation on a legitimate banknote |$) together with an ancilla 
|0), the end result of which is to produce |$)® . Given such a strange attack, how can one deduce 
the failure of any "standard" cryptographic assumption? 

Yet despite the novelty of the quantum money problem — or perhaps because of it — it seems 
reasonable to want some non-tautological evidence that a public-key quantum money scheme is 
secure. A minimal wish-list might include: 

(1) Security under some plausible assumption, of a sort cryptographers know how to evaluate. 
Such an assumption should talk only about computing a classical output from a classical 
input; it should have nothing to do with cloning of quantum states. 

(2) A proof that the money scheme is secure against black-box counterfeiters: those that do not 
exploit the structure of some cryptographic function / used in verifying the banknotes. 



^One way to understand the difficulty is that any security proof for Lutomirski's scheme would need to contain, as 
a special case, a quantum lower bound for the so-called index erasure problem [^. In other words, any fast quantum 
algorithm for index erasure would imply a break of Lutomirski's scheme. 

At present, the simplest known proof of a quantum lower bound for index erasure is via a reduction from Aaronson's 
quantum lower bound for the collision problem pQ. The latter is proved using the polynomial method of Beals et 
al. [11]. In this work, by contrast, we will only manage to prove the security of our oracle scheme using a specially- 
designed variant of Ambainis's quantum adversary method 8,. There is a recent lower bound for the index erasure 
problem using the adversary method [5], but it is quite involved. 

^This is because a counterfeiter with unlimited time could simply search for a state \tp) that the (publicly-known) 
verification procedure accepted. 



(3) A "simple" verification process, which accepts all valid banknotes |$) with probability 1, and 
rejects all banknotes that are far from |$). 

1.3 Our Results 

Our main contribution is a new public-key quantum money scheme, which achieves all three items 
in the wish-list above, and which is the first to achieve (1) or (2). Regardless of whether our 
particular scheme stands or falls, we introduce at least four techniques that should be useful for 
the design and analysis of any public-key quantum money scheme. These are: 

• The "inner-product adversary method," a new variant of Ambainis's quantum adversary 
method [8] that can be used to rule out black-box counterfeiting strategies. 

• A formal proof that full-fledged quantum money schemes can be constructed out of two simpler 
ingredients: (a) objects that we call mini- schemes, and (b) conventional digital signature 
schemes secure against quantum attack. (Note that this construction itself, sans the analysis, 
was introduced in earlier work on quantum money, by Lutomirski et al. |31] and Farhi et al. 

Eal.) 



• A method to amplify weak counterfeiters into strong ones, so that one only needs to rule out 
the latter to show security. 

• A new connection between (a) the security of quantum money schemes, and (b) the security 
of conventional cryptosystems against attacks that succeed with exponentially-small proba- 
bilities. 

A second contribution is to construct the first private-key quantum money schemes that remain 
unconditionally secure, even if the counterfeiter can interact adaptively with the bank. This gives 
the first solution to the "online attack problem," a major security hole in the Wiesner ^41j and 
BBBW [13] schemes pointed out by Lutomirski [29] and Aaronson [3]. These private-key schemes 
are direct adaptations of our public-key scheme. 

In more detail, our quantum money scheme is based on hidden subspaces of the vector space Fg. 
Each of our money states is a uniform superposition of the vectors in a random n/2-dimensional 
subspace A < W!^- We denote this superposition by 1^4). Crucially, we can recognize the state 
1^) using only membership oracles for A and for its dual subspace A-^. To do so, we apply the 
membership oracle for A, then a Fourier transform, then the membership oracle for A , and then 
a second Fourier transform to restore the original state. We prove that this operation computes a 
rank-1 projection onto \A). 

Underlying the security of our money schemes is the assertion that the states \A) are difficult to 
clone, even given membership oracles for A and A . Or more concretely: any quantum algorithm 
that maps \A) to \A) must make 2^^"^^ queries to the A,A-^ oracles. 

In order to prove this statement, we introduce a new method for proving lower bounds on 
quantum query complexity, which we call the inner-product adversary method. This technique 
considers a single counterfeiting algorithm being run in parallel to clone two distinct states | A) and 
1^'), with each having access to the membership oracles for A, A or A',A , as appropriate. To 
measure how much progress the algorithm has made, we consider the inner product between the 
states produced by the parallel executions: because (^| \A') < {A\A') for many pairs of sub- 
spaces A, A' , in order to succeed a counterfeiter will have to reduce this inner product substantially. 

6 



We prove that when averaged over a suitable distribution of pairs A, A' , the expected inner product 
between the two states produced by the counterfeiter cannot decrease too much with a single query 
to the membership oracles. We conclude that in order to produce |^) given |^) and membership 
oracles for A,A, a counterfeiter must use exponentially many queries. 

Having ruled out the possibility of nearly perfect cloning, we introduce a new amplification 
protocol, which allows us to transform a counterfeiter who succeeds with il (1/poly (n)) success 
probability into a counterfeiter who succeeds with probability arbitrarily close to 1. This technique 
is based on combining standard Grover search with a monotonic state amplification protocol of 
Tulsi, Grover, and Patel [IQ], to obtain monotonic convergence with the quadratic speedup of 
Grover searchlj Combining this amplification with the inner-product adversary method, and 
applying a random linear transformation to convert the counterfeiter's worst case to its average 
case, we conclude that no counterfeiting algorithm can succeed with any non-negligible probability 
on a non- negligible fraction of states \A). 

Using these results, how do we produce a secure quantum money scheme? We now need to 
step back, and discuss some general constructions that have nothing to do with hidden subspaces in 
particular. Before constructing full-fledged quantum money schemes, we flnd it useful — following 
|3H [23] — to construct simpler objects called quantum money mini-schemes, in which the bank 
issues only a single money state and maintains no secret information. Formally, a mini-scheme is a 
protocol Bank for outputting pairs {s,ps) and a veriflcation procedure Ver^ for identifying ps. We 
say a mini-scheme is complete if the state pa passes the verification Ver^ with high probability, and 
we say the scheme is secure if furthermore no counterfeiter can take a single state ps , and produce 
two (possibly-entangled) states pi and p2 which simultaneously pass the verification procedure with 
non-negligible probability. 

In the case of hidden subspace money, for example, we can use our uncloneability result to 
produce a secure mini-scheme relative to a classical oracle. The algorithm Bank queries the classical 
oracle to obtain a serial number s and the description of a subspace A. Using this description, 
it prepares |^) and publishes (s, \A)). The verification procedure uses the serial number s as an 
index into another classical oracle, which allows it to test membership in A and A . We prove 
that the uncloneability of the states |^) implies that this mini-scheme is secure. 

Using a construction introduced by Lutomirski et al. [31] and Farhi et al. [23], we also show that, 
given any mini-scheme M, one can obtain a full-fledged quantum money scheme by combining Ai 
with any (classical) digital signature scheme secure against quantum attacks. In the construction 
of [311 [23], the issuing bank first uses the mini-scheme to produce a pair {s,ps); then it digitally 
signs the serial number s and distributes (s,/9s,Sign (s)) as its banknote. Our contribution is to 
prove rigorously that, if a counterfeiter can break the money scheme, then it must have been able 
to break either the underlying mini-scheme or else the signature scheme. 

By combining this reduction with our mini-scheme, we are able to obtain a "black-box" public 
key quantum money scheme relative to a classical oracle, which is unconditionally secure: 

Theorem (Security of Hidden Subspace Money). Relative to some (classical) oracle A, there exists 
a secure public-key quantum money scheme. 

More precisely, there is an algorithm KeyGen which outputs pairs (A^privato ^public) with secu- 
rity parameter n; an algorithm Bank (A^private) which generates a "quantum banknote" |$); and a 



^Although the "quadratic speedup" part is not strictly necessary for us, it improves our lower bound on the 
number of queries the counterfeiter needs to make — to the tight one, in fact — and might be of independent interest. 



verification algorithm Ver (AjpubUo |$)) which tests the authenticity of a purported banknote. These 
algorithms are polynomial-time and have the following properties: 

Completeness: //(/cpHvatc, ^public) is produced by KeyGen^, then Ver^ (/^public, Bank^ (A;privatc)) 
accepts with certainty. 

Soundness: Suppose a would-be polynomial-time counterfeiter with access to A and A^pubUc ^s 
given q valid banknotes. If this counterfeiter outputs any number of (possibly-entangled) quantum 
states, there is at most a 1/exp (n) probability that Ver will accept more than q of them. 

By adapting these ideas to the private-key setting, we are also able to provide the first private- 
key quantum money scheme that is unconditionally secure, even if the counterfeiter is able to 
interact adaptively with the bank. This patches a security hole in Wiesner's original scheme which 
was observed in [29^13]. but which has not previously been addressed in a provably-secure way. 

Finally, we provide a candidate cryptographic protocol for obfuscating the indicator functions of 
subspaces A < Fg. In order to obfuscate a membership oracle for A, we provide a random system 
of polynomials pi, . . . ,Pm that vanish on A. Membership in A can be tested by evaluating the pj's, 
but given only the pj's, we conjecture that it is difficult to recover A. Combining this protocol with 
the black-box money scheme, we obtain an explicit quantum money scheme. This scheme is also 
the first public-key quantum money scheme whose security can be based on a plausible "classical" 
cryptographic assumption. Here is the assumption: 

Conjecture (*). Suppose A is a uniformly-random n/ 2- dimensional subspace of Fg, and that 
{Pi}i<i<2n ' {li}i<i<2n ^'^^ systcms of dcgrcc-d polynomials from ¥2 to ¥2, which vanish on A and 
A respectively but are otherwise uniformly-random. Then for large enough constant d, there is no 
polynomial-time quantum algorithm that takes as input descriptions of the pi 's and qi 's, and that 
outputs a basis for A with success probability Jl (2~^''^) . 

Note that we can trivially guess a single nonzero A element with success probability 2~"'^, but 
guessing a whole basis for A would succeed with probability only 2^ V" J. Conjecture (*) asserts 
that it is harder to find many elements of A than to find just one element. 

The following theorem says that, if a counterfeiter could break our quantum money scheme, 
then with nontrivial success probability, it could also recover a description of A from the pi's and 
gj's alone — even without having access to a bank that provides a valid money state |^). 

Theorem. Assuming Conjecture (*), there exists a public-key quantum money scheme with perfect 
completeness and 1/exp (n) soundness error. That is, the verifier always accepts valid banknotes, 
and a would-be counterfeiter succeeds only with 1/exp (n) probability^ 

The problem of recovering a subspace A, given a system of equations that vanish on A, is 
closely related to algebraic cryptanalysis, and in particular to the so-called polynomial isomorphism 
problem. In the latter problem, we are given as input two polynomials p, g : F" — t- F related 
by an unknown linear change of basis L; the challenge is to find L. When deg (p) = deg (q) = 
3, the best known algorithms for the polynomial isomorphism problem require exponential time 
[371 l25l [T7| . An attacker might be able to use known techniques to effectively reduce the degree of 



^This theorem remains true even if the statement of Conjecture (*) is weakened by adding random noise to the pi's 
and qi's, so that only a constant fraction of them vanish on A or A . The presence of noise interferes substantially 
with known techniques for solving systems of equations, though an attacker who was able to recover A from a single 
polynomial would of course not be hindered by such noise. 



the polynomials in our scheme by 1, at the expense of an exponentially reduced success probability 
|17j . Provided the degree is at least 4, however, recovering A seems to be well beyond existing 
techniques. 

1.4 Motivation 

Unlike the closely-related task of quantum key distribution [13] (which is already practical), quan- 
tum money currently seems to be a long way off. The basic difficulty is how to maintain the 
coherence of a quantum money state for an appreciable length of time. All money eventually 
loses its value unless it is spent, but money that decohered on a scale of microseconds would be an 
extreme example! 

So one might wonder: why develop rigorous foundations for a cryptographic functionality that 
seems so far from being practical? One answer is that, just as quantum key distribution uses many 
of the same ideas as private-key quantum money, but without requiring long-lasting coherence, so 
it is not hard to imagine protocols that would use many of the same ideas as public-key quan- 
tum money without requiring long-lasting coherence. Indeed, depending on the problem, rapid 
decoherence might be a feature rather than a bug! 

As one example, public-key quantum money that decohered quickly could be used to create 
non-interactive uncloneable signatures. These are n-qubit quantum states \ip) that an agent 
can efficiently prepare using a private key, then freely hand out to passersby. By feeding {tp), 
together with the agent's public key, into suitable measuring equipment, anyone can verify on 
the spot that the agent is who she says she is and not an impostor. Compared with classical 
identification protocols, the novel feature here is that the agent does not need to respond to a 
challenge — for example, digitally signing a random string — but can instead just hand out a fixed 
\ip) non-interactively. Furthermore, because \i{j) decoheres in a matter of seconds, and recovering a 
classical description of {ip) from measurements on it is computationally intractable, someone who 
is given \^) cannot use it later to impersonate the agent. 

Of course, if an attacker managed to solve the technological problem of keeping |^) coherent 
for very long times, then he could break this system, by collecting one or more copies of {ip) that 
an agent had handed out, and using them to impersonate the agent. But in that case, whatever 
method the attacker was using to keep the states coherent could also — once discovered — be used 
to create a secure public-key quantum money scheme! 

However, we believe the "real" reason to study quantum money is basically the same as the 
"real" reason to study quantum computing as a whole — or for that matter, to study the many 
interesting aspects of classical cryptography that are equally far from application. As theoretical 
computer scientists, we are in the business of mapping out the inherent capabilities and limits of 
information processing. 

In our case, what quantum money provides is a near-ideal playground for understanding the 
implications of the uncertainty principle and the No-Cloning Theorem. In the early days of 
quantum mechanics, Bohr [15] and others argued that the uncertainty principle requires us to 
change our conception of science itself — their basic argument being that, in physics, predictions 
are only ever as good as our knowledge of a system's initial state {ip), but the uncertainty principle 
might mean that the initial state is unknowable even with arbitrarily-precise measurements. 

But does this argument have any "teeth"? In other words: among the properties of a quantum 
state IV') that make the state impossible to learn precisely or to duplicate, can any of those properties 



ever matter empirically? To us, quantum money is interesting precisely because it gives one of the 
clearest examples where the answer to that question is yes. 

2 Preliminaries 

To begin, we fix some notation. Let [A^] = {f,...,A^}. We call a function 5 {n) negligible if 
6 (n) = o {1/p (n)) for every polynomial p. Given a subspace S of a vector space V, let S"-*- be the 
orthogonal complement of S: that is, the set of y £ V such that x ■ y = for all x G S. It is not 
hard to show that 5-*" is also a subspace of V, that [S^) = S, and that these properties hold even 
if • is "merely" a dot product rather than an inner product. As a word of warning, this paper will 
use the same notation S in two very different contexts: 

• When V = C^", the orthogonal complement 5-*- of, e.g., the subspace S <V spanned by a 
single computational basis state \x), has 2" — 1 dimensions and is spanned by all basis states 
|y) such that y ^ x. 

• When V = ¥2, the orthogonal complement S of, e.g., the subspace S < V spanned by a 
single string x = xi . . . Xn, has n — 1 dimensions and consists of all strings y = yi ■ ■ -Vn such 
that xiyi + ■ ■ ■ + Xnyn = (mod 2) . 

By a classical oracle, we will mean a unitary transformation of the form |x) — )■ ( — l)-'^^-^ |x), 
for some Boolean function / : {0,1}* — t- {0,1}. Note that, unless specified otherwise, even a 
classical oracle can be queried in quantum superposition. A quantum oracle, by contrast, is an 
arbitrary n-qubit unitary transformation U (or rather, a collection of such C/'s, one for each n) that 
a quantum algorithm can apply in a black-box fashion. Quantum oracles were defined and studied 
by Aaronson and Kuperberg [5]. 

2.1 Cryptography 

Before we construct quantum money schemes, it will be helpful to have some "conventional" cryp- 
tographic primitives in our toolbox. Foremost among these is a digital signature scheme secure 
against quantum chosen-message attacks. We now define digital signature schemes — both for 
completeness, and to fix the quantum attack model that is relevant for us. 

Definition 1 (Digital Signature Schemes). A (classical, public-key) digital signature scheme 

T) consists of three probabilistic polynomial-time classical algorithms: 

• KeyGen, which takes as input a security parameter 0", and generates a key pair (fcprivato ^public)- 

• Sign, which takes as input ^private o-nd a message x, and generates a signature Sign (fcprivatej 2;)cj 

• Ver, which takes as input fepublio Oj message x, and a claimed signature w, and either accepts 
or rejects. 



^°We indulge in slight abuse of notation, since if Sign is randomized then the signature need not be a function of 

"^private and X. 
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We sayV has completeness errors i/Ver (A^puWioai^jSign (x, /^private)) accepts with probability 
at least 1 — e for all messages x and key pairs (/i^privatc, ^public)- Here the probability is over the 
behavior o/Ver and Sign. 

Let C (the counterfeiter) be a quantum circuit of size poly (n) that takes /cpubiic as inpur^ 
and does the following: 

(1) Probabilistically generates a classical list of messages xi, . . . ,Xm, and submits them to a sign- 
ing oracle O. 

(2) Gets back independently- generated signatures u^i, . . . ,Wm, where Wi := Sign {kp^i^a_tc,Xi). 

(3) Outputs a pair {x,w). 

We say C succeeds if x ^ {xi, . . . , Xm} and Ver (A^pubUo x, vu) accepts. We say D has sound- 
ness error S if every counterfeiter C succeeds with probability at most 6. Here the probability is 
over the key pair (^private, ^public) and the behavior of C , Sign, and Ver. 

We call V secure against nonadaptive quantum chosen-message attacks if it has com- 
pleteness error < 1/3 and negligible soundness error. 

Intuitively, we call a signature scheme "secure" if no quantum counterfeiter with nonadaptive, 
classical access to a signing oracle O can forge a signature for any message that it did not submit 
to O. Depending on the application, one might want to generalize Definition [1] in various ways: 
for example, by giving the counterfeiter adaptive or quantum access to O, or by letting KeyGen, 
Sign, and Ver be quantum algorithms themselves. For this paper, however. Definition [T] provides 
all we need. 

Do signature schemes secure against quantum attack exist? Naturally, signature schemes based 
on RSA or other number-theoretic problems can all be broken by a quantum computer. However, 
building on earlier work by Naor and Yung [34] (among many others), Rompel [39] showed that a 
secure public-key signature scheme can be constructed from any one-way function — not necessarily 
a trapdoor function. Furthermore, Rompel's security reduction, from breaking the signature 
scheme to inverting the one-way function, is black-box: in particular, nothing in it depends on the 
assumption that the adversary is classical rather than quantum. We therefore get the following 
consequence: 

Theorem 2 (Quantum-Secure Signature Schemes [39]). If there exists a (classical) one-way func- 
tion f secure against quantum attack, then there also exists a digital signature scheme secure against 
quantum chosen-message attacks. 

Recently, Boneh et al. [16] proved several results similar to Theorem [21 and they needed non- 
trivial work to do so. However, a crucial difference is that Boneh et al. were (justifiably) concerned 
with quantum adversaries who can make quantum queries to the signing oracle O. By contrast, as 
mentioned earlier, for our application it suffices to consider adversaries who query O classically — 
and in that case, the standard security reductions go through essentially without change. 

Let us state another consequence of Theorem [21 which will be useful for our oracle construction 
in Section [5l 



^^Actually, for our security proofs, it suffices to consider a weaker attack model, in wliicli C only receives fcpubuc at 
the same time as it receives loi, . . . , Wm- This model was called "existential unforgeability under static chosen- message 
attacks" by Cash et al. [19]. We thank an anonymous reviewer for this observation. 
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Theorem 3 (Relativized Quantum-Secure Signatures). Relative to a suitable oracle A, there exists 
a digital signature scheme secure against quantum chosen-message attacks. 

Proof Sketch. It is easy to give an oracle A : {0, 1}* — t- {0, 1} relative to which there exists a one- 
way function /„ : {0, 1}"' — )■ {0, l}^*^"^ secure against quantum adversaries. Indeed, we can let A 
be a random oracle, and then define 

fn{x) := A[x,l) . . . A{x,p{n)) 

directly in terms of A. Assume p (n) > n. Then the lower bound on the quantum query complexity 
of function inversion, proved by Bennett et al. [12] and Ambainis [8j, straightforwardly implies 
that any quantum algorithm to invert /„, with success probability e > 0, must make Q (2"'^y^) 
quantum queries to A. 

Now, the security reduction of Rompel [39j is not only black-box but relativizing: that is, it goes 
through if all legitimate and malicious parties have access to the same oracle A. So by Theorem 
[21 starting from {/«} one can construct a digital signature scheme relative to the same oracle A, 
which is secure against quantum chosen-message attacks. D 

2.2 Quantum Information 

Let us collect a few facts about quantum pure and mixed states that are used in the paper. We 
assume basic familiarity with the formalism of bras, kets, density matrices, etc.; see Nielsen and 
Chuang [35] for a good overview. 

Given two mixed states p and o", their trace distance is defined as D {p, a) := ^ X]i=i l-^d; where 
Al, . . . , Xn are the eigenvalues oi p — a. Trace distance is a metric and satisfies < D {p, a) < 1. 
Also, the fidelity < F {p,a) < 1 is defined, in this paper, as the maximum of KV'lc^)! over all 
purifications \ip) of p and \ip) of aJHl By extension, given a subspace S, we let F{p,S) be the 
maximum of |(^|99)| over all purifications {ip) oi p and all unit vectors |(/?) G S". Trace distance and 
fidelity are related as follows [35] : 

Proposition 4. For all mixed states p, a , 



D{p,a)<sJl-F{p,a)\ 



with equality if p or cr is pure. 



While fidelity is not a metric, it does satisfy the following inequality, which will be helpful in 
Section [SI 

Lemma 5 ("Triangle Inequality" for Fidelity). Suppose (^|/7|^) > 1 — e and {'.p\a\'.p) > 1 — e. 
ThenF{p,a) < \{ij\^)\ +26^/"^. 

Proof. By Proposition [J 

D {p, m < yr^T^^TK^ < v^, 

and likewise D {a,\ip)) < ^/e. Thus, since trace distance satisfies the triangle inequality, 

Dip,a)>Di\i;),\^))-Dip,\i;))-Dia,\^)) 



^Some authors instead define "fidelity" as the maximum of |{i/)|</3)| 
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Then 

' \2 



F{p,a)<Jl-D{p,a) 



<Jl-(^yJl-m^)f-2V~e 



2 



<KV'|9^)| + 2eV4. 

D 

Finally, the following lemma of Aaronson |2j will imply that, as long as a quantum money 
scheme has small completeness error (i.e., small probability of rejecting a valid banknote), the 
banknotes can be reused many times. 

Lemma 6 ("Almost As Good As New Lemma" [2j). Suppose a measurement on a mixed state p 
yields a particular outcome with probability 1 — e. Then after the measurement, one can recover a 
state p such that \\p — p\\^^ < \/e. 

2.3 Quantum Search 

In our security proof for quantum money, an important step will be to amplify a counterfeiter who 
copies a banknote $ with any non-negligible fidelity to a counterfeiter who copies $ almost perfectly. 
Taking the contrapositive, this will imply that to rule out the former sort of counterfeiter, it suffices 
to rule out the latter. 

In this section, we first review two variants of Grover's search algorithm |26j that are useful 
for amplifying the fidelity of quantum states. We then introduce a variant that combines the 
advantages of both. 

Assume we are given a pure initial state |Init), in some Hilbert space Ti. Our goal is to map 
|Init) to a final state |^) that lies in (or close to) a "good subspace" G <%. We have oracle access 
to two unitary transformations: 

• t^init, which maps |Init) to — |Init), and acts as the identity on all \v) orthogonal to |Init). 

• C/g) which maps \v) to —\v) for all \v) G G, and acts as the identity on all \v) orthogonal to 
G. 

We are promised that the fidelity of the initial state with G, 

F (|Init) , G) = max (Init IV') , 
|V>eG 

is at least some e > 0. 

In this scenario, provided F(|Init),G) is known, the amplitude amplification framework of 
Brassard, H0yer, Mosca, and Tapp |T8] lets us prepare a state close to G using only (1/e) 
iterations: 
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Lemma 7 (Amplitude Amplification [18]). Write |Init) as sin 9 |Good) +cos9 |Bad), where |Good) 
is the unit vector formed by projecting |Init) onto G, and |Bad) is orthogonal to |Good). Then by 
using O (T) oracle calls to C/jnit o,nd Ug, we can prepare the state 

|$T> := sin [(2T + 1) 9] |Good) + cos [{2T + 1) 9] |Bad) 

Note that Grover's algorithm is simply a special case of Lemma [3 where |Init) is the uniform 
superposition over N basis states |1) , . . . , \N), and G is the subspace spanned by "marked" states. 

However, Lemma [7] has an annoying drawback, which it shares with ordinary Grover search. 
Namely, the algorithm does not converge monotonically toward the target subspace G, but could 
instead "wildly overshoot it," cycling around the 2-dimensional subspace spanned by |Bad) and 
I Good). If we know the fidelity -F(|Init),G) in advance (rather than just a lower bound on 
the fidelity), or if we can prepare new copies of |Init) "free of charge" in case of failure, then this 
overshooting is not a serious problem. Alas, neither of those conditions will hold in our application. 

Fortunately, for independent reasons, in 2005 Tulsi, Grover, and Patel [40] introduced a new 
quantum search algorithm that does guarantee monotonic convergence toward G, by alternating 
unitary transformations with measurements. (Their algorithm was later simplified and improved 
by Chakraborty, Radhakrishnan, and Raghunathan [20].) 



Lemma 8 (Fixed- Point Quantum Search [40] 120]). By using T oracle calls to C/init o,nd Ug, we 
can prepare a state \^) such that F (|\I') , G) > 1 — exp (— Te^) . 

Rearranging, Lemma [8] lets us prepare a state |\1') such that -F(|\1'),G) > 1 — 5 using T = 
O (-J log j) iterations. On the positive side, the dependence on 1/6 in this bound is logarithmic: we 
get not only monotonic convergence toward G, but exponentially-fast convergence. On the negative 
side, notice that the dependence on e has worsened from 1/e to 1/e^ — negating the quadratic 
speedup that was the original point of quantum search! 

In the rest of this section, we give a "hybrid" quantum search algorithm that combines the 
advantages of Lemmas [7] and [8] — i.e., it converges monotonically toward the target subspace G 
(rather than "overshooting" G), but also achieves a quadratic speedup. In the context of our 
security proof for quantum money, this hybrid algorithm will lead to a quadratically-better (and 
in fact, tight) lower bound on the number of queries that a counterfeiter needs to make, compared 
to what we would get from using Lemma [8] alone. While this quadratic improvement is perhaps 
only of moderate interest, we include the algorithm in the hope that it will find other applications. 

We first give a technical lemma needed to analyze our algorithm. 

Lemma 9. For all L,/3,77,7, there are at most (L / f3 + 1) [27] + 1) integers T € {0, ...,L} such 
that \T — {fin + 7)] < ?? for some integer n. 

Proof. The real interval [0, L] can intersect at most L//3 + 1 intervals (/3n + 7 — 7/, j3n + 7 + 7/), and 
each such interval can contain at most 2r/ + 1 integer points. D 

We now give our hybrid of Lemmas [7] and El 

Theorem 10 (Faster Fixed-Point Search). Let S > 2e. Then by using O I °^J j oracle calls to 
Uinit o-nd Ug, we can prepare a state p such that F {p,G) > 1 — 6. 

Proof Let ^ := arcsine; note that e < ^ < f e. Also let L := [100/^] and -R := f| (2 + log^). 
Then the algorithm is as follows: 
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(1) Choose an integer T G {0, . . . , L} uniformly at random. 

(2) Apply T iterations of amplitude amplification with |Init) as the initial state and G as the 
target subspace (as in Lemma [Tj), to obtain a state \^t)- 

(3) Apply R iterations of fixed-point quantum search with \^t) as the initial state and G as the 
target subspace (as in Lemma [8]), to obtain a state |^t)- 

The final output of the above algorithm is 

p= E [\^t){^t\]. 

Te{0,...,L} 

Also, the total number of oracle calls to C/init and Ug is 

'logl/J 



O (TR) = O 



e6^ 



(The reason this number scales like TR rather than T + R is that, in step (3), each tiine we reflect 
about the initial state |$t) we need to rerun step (2). Thus, we need G (T) oracle calls within 
each of the R iterations.) 

By Lemma [71 after step (2) we have a state \^t) such that 

F{\<^t),G) = |($T|Good)| = |sin[(2r + l)e]|. 

So for any a £ (0, 1), 

Pr [F(|$T>,G) <a] = Pr [|sin [(2r + 1) C]| < a] 

Te{0,...,L} Te{0,...,L} 

= Pr [3nG Z : |(2T + l)^-7rn| < arcsina] 

Te{0,...,L} 

L I 1 I I arcsin a , i 



< N^/^g 



L + 1 

2 2^ arcsin Q ^ 

< — arcsin a -\ 1 1 

- vr TT 100 100 

< 1.02 (a + e), 

where the third line uses Lemma [9l 

Now assume F(|$r) ,G) > a. Then by Lemma [U after step (3) we have a state |$r) such 
that 

F{\<^t),G) > l-exp{-Ra^). 

Let us now make the choice a := 6/5. Then by the union bound, the "average" output p = 
Et[\^t) {^tW satisfies 

l-F{p,G)< 1.02 {a + e)+ exp {-Ra"^) 

< 0.204(5 + 0.51<5 + exp 

\ 25 

<<5. 

D 
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Note that our hybrid loses the property of exponentially-fast convergence toward the target 
subspace G, but that property wih not be important for us anyway. We leave as an open problem 
whether there exists a hybrid algorithm with exponentially-fast convergence. 

3 Formalizing Quantum Money 

In this section, we first give a formal cryptographic definition of public-key quantum money schemes. 
Our definition is similar to that of Aaronson [3j. However, following |31l I23j . we next define the 
notion of a quantum money mini-scheme, which is easier to construct and analyze than a full- 
blown quantum money scheme. A mini-scheme is basically a quantum money scheme where each 
banknote includes a classical serial number; where the only security requirement is that producing 
a second banknote with the same serial number is intractable; and where there is no public or 
private key (since given the lax security requirement, there is no need for one). We then prove two 
general results: the amplification of weak counterfeiters into strong ones (Theorem llSp . and the 
construction of full-blown quantum money schemes from mini-schemes together with quantumly- 
secure digital signature schemes (Theorem I16p . 

3.1 Quantum Money Schemes 

Intuitively, a public-key quantum money scheme is a scheme by which 

(1) a trusted "bank" can feasibly generate an unlimited number of quantum banknotes, 

(2) anyone can feasibly verify a valid banknote as having come from the bank, but 

(3) no one besides the bank can feasibly map q = poly (n) banknotes to r > g banknotes with 
any non-negligible success probabilitycj 

We now make the notion more formal. 

Definition 11 (Quantum Money Schemes). A public-key quantum money scheme S consists 
of three polynomial-time quantum algorithms: 

• KeyGen, which takes as input a security parameter 0", and probabilistically generates a key 

pair V ^private ) rCpyi-iiif. j . 

• Bank, which takes as input /cprivate; O'lT'd probabilistically generates a quantum state $ called a 
banknote. (Usually $ will be an ordered pair [s, ps), consisting of a classical serial number 
s and a quantum money state ps, but this is not strictly necessary.) 

• Ver, which takes as input A^pubUc o-nd an alleged banknote ^, and either accepts or rejects. 

We say S has completeness error e if\/er (fcpubiio $) accepts with probability at least 1 — e for 
all public keys /cpubiic a^<^ valid banknotes $. If e = then S has perfect completeness. 



^^Previously, Aaronson [3] required only that no polynomial-time counterfeiter could increase its expected number 
of valid banknotes. However, the stronger condition required here is both achievable, and seemingly more natural 
from the standpoint of security proofs. 
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Let Count (the money counter) take as input fepubUc os well as a collection of (possibly- 
entangled) alleged banknotes <^^, . . . ,^^, and output the number of indices i G [r] such that Ver (/cpubUo i^j 
accepts. Then we say S has soundness error 6 if, given any quantum circuit C (fepubUo $i; • • • i $g) 
of size poly (n) (called the counterfeiter) , which maps q = poly (n) valid banknotes $i, . . . , $g to 
r = poly (n) (possibly- entangled) alleged banknotes <f,^.,. . . ,^^, 

Pr [Count (^public, C [k^nhiic, $i, • • • , $<?)) > q]<5- 

Here the probability is over the key pair (^private; ^public); valid banknotes $i,...,$g generated by 
Bank (^private)) cind the behavior 0/ Count and C. 

We call S secure if it has completeness error < 1/3 and negligible soundness error. 

In Appendix [3 we show that the completeness error in any quantum money scheme can be 
amplified to l/2P°'y("), at the cost of only a small increase in the soundness error. Note that, 
by Lemma [6] (the "Almost As Good As New Lemma"), once we make the completeness error 
exponentially small in n, we can also give our scheme the property that any banknote $ can be 
verified exp (n) times, before $ gets "worn out" by repeated measurements. This observation is 
part of what justifies our use of the term "money.'o 

In this paper, we will often consider relativized quantum money schemes, which simply means 
that the three procedures KeyGen, Bank, Ver — as well as the counterfeiter C — all get access to 
exactly the same oracle A : {0,1}* — )• {0,1}. We will also consider relativized digital signature 
schemes, etc., which are defined analogously. 

A private-key quantum money scheme is the same as a public-key scheme, except that the 
counterfeiter C no longer gets access to fcpubUc- (Thus, we might as well set k := /cpubiic = ^private; 
since the public and private keys no longer play separate roles.) We call a private- key scheme 
query-secure — a notion "intermediate" between private-key and public-key — if the counterfeiter 
C is allowed to interact repeatedly with the bank. Given any alleged banknote a, the bank runs the 
verification procedure Ver(/c,o"), then returns to C both the classical result (i.e., accept or reject) 
and the post-measurement quantum state a. 

3.2 Mini-Schemes 

While Definition [TT] captures our intuitive requirements for a public-key quantum money scheme, 
experience has shown that it is cumbersome to work with in practice. So following Lutomirski et 
al. [31] and Farhi et al. [23] , in this section we define a simpler primitive called mini-schemes. We 
also prove an amplification theorem for a large class of mini-schemes. Then, in Section [3.31 we will 
explain how mini-schemes can be generically combined with conventional digital signature schemes 
to create full public-key quantum money schemes. 

Definition 12 (Mini-Schemes). A (public-key) mini-scheme Ai consists of two polynomial-time 
quantum algorithms: 

• Bank, which takes as input a security parameter 0", and probabilistically generates a banknote 
$ = {s,ps), where s is a classical serial number, and ps is a quantum money state. 

• Ver, which takes as input an alleged banknote ^, and either accepts or rejects. 



^''By contrast, BBBW [14] introduced the term "subway tokens" for quantum money states that get destroyed 
immediately upon verification. 

17 



We say Ai has completeness error e i/Ver($) accepts with probability at least 1 — e for all 
valid banknotes $. If e = then M has perfect completeness. If, furthermore, ps = \ips) {ips\ is 
always a pure state, and Ver simply consists of a projective measurement onto the rank-1 subspace 
spanned by \ips), then we say Ai is projective]^ 

Let Ver2 (the double verifier) take as input a single serial number s as well as two (possibly- 
entangled) states o"! and CT2, and accept if and only \/er (s , ai) and Ver (s,o"2) both accept. We say 
Ai has soundness error 5 if, given any quantum circuit C of size poly (n) (the counterfeiter), 
Ver2 (s, C ($)) accepts with probability at most 6. Here the probability is over the banknote $ output 
by Bank(0"), as well as the behavior o/Ver2 and C. 

We call M secure if it has completeness error < 1/3 and negligible soundness error. 

We observe a simple relationship between Definitions [11] and [121 

Proposition 13. If there exists a secure public-key money scheme S = (KeyGen^, Bank^, Ver^), 

then there also exists a secure mini-scheme A4 = (Bank_^, Ver_A4). 

Proof. Each banknote output by Bank_A4 (0") will have the form (fepubiici Bank^ (/^private)), where 
(^private; ^public) is a key pair output by KeyGen^ (0"). Then Ver^ (s, ps) will accept if and only if 
Ver^ {s,ps) does. Any counterfeiter Cm against M. can be converted directly into a counterfeiter 
Cs against S. D 

Call a mini-scheme M = (Bank, Ver) secret-based if Bank works by first generating a uniformly- 
random classical string r, and then generating a banknote $,. := {sr,Pr)- Intuitively, in a secret- 
based scheme, the bank can generate many identical banknotes by simply reusing r, while in a 
non-secret-based scheme, not even the bank might be able to generate two identical banknotes. 
Here is an interesting observation: 

Proposition 14. If there exists a secure, secret-based mini-scheme, then there also exists a one-way 
function secure against quantum attack. 

Proof. The desired OWF is SerialNum (r) := Sr- If there existed a polynomial-time quantum 
algorithm to recover r given Sr, then we could use that algorithm to produce an unlimited number 
of additional banknotes $,-. D 

All of the mini-schemes developed in this paper will be secret-based. By contrast, the earlier 
schemes of Lutomirski et al. 01] and Farhi et al. [23] are non-secret-based, since the serial number 
s is only obtained as the outcome of a quantum measurement. 

The following result is one of the most useful in the paper. Intuitively, it says that in projec- 
tive mini-schemes, a counterfeiter that copies a banknote with any non-negligible fidelity can be 
"amplified" to a counterfeiter that copies the banknote almost perfectly — or conversely, that to rule 
out the former sort of counterfeiter, it suffices to rule out the latter. The proof makes essential 
use of the amplitude amplification results from Section 12. 3i 

Theorem 15 (Amplification of Counterfeiters). Let Ai = (Bank, Ver) be a projective mini-scheme, 
and let $ = (s,p) be a valid banknote in Ai. Suppose there exists a counterfeiter C that copies $ 
with probability e > 0.- that is, 

Pr [Ver2 (s, C ($)) accepts] > e. 



^^We similarly call a full quantum money scheme projective, if Ver ($) consists of a measurement on one part of ! 
in the computational basis, followed by a rank-1 projective measurement on the remaining part. 
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Then for all S > 0, there is also a modified counterfeiter C (depending only on e and 5, not %), 
which makes 

queries to C , C^^ , and Ver and which satisfies 

Pr [Vers (s, C ($)) accepts] >l-6. 
Proof. Write $ as a mixture of pure states: 

$ = '^Pili'i) {i^i\ ■ 

By linearity, clearly it suffices to show that 

Pr [Vera (s, C {\ipi))) accepts] >l-5 

for all i such that pi > 0. We focus on \Tp) := {ipi) without loss of generality. 
By assumption, there exists a subspace S such that 

Pr [Ver (p) accepts] = F {p, Sf 

for all ;9. ThenF($,5) =F(|V),5) = 1. 

Now, just as Ver is simply a projector onto S, so Vers is a projector onto S®^. Thus 

So consider performing a fixed-point Grover search, with C {\tp)) as the initial state and 5®^ as 
the target subspace. By Lemma [HI this will produce a state p such that F (p, S"^^) > 1 — 6 using 
O (-log^) Grover iterations. Each iteration requires a reflection about C {\ijj)) and a reflection 
about 5®^, which can be implemented using O (1) queries to C, C~^ and Ver respectively. Therefore 
the number of queries to C, C~^ and Ver is O (- log ^) as well. 

If 6 is large compared to e, then we can instead use Theorem IIOI which produces a state p such 
that F [p, 5®^) > 1 — 5 using O ( -^ log ^ j iterations. Taking the minimum of the two bounds 
gives us the claimed bound on query complexity. D 

Theorem [TSl is unlikely to hold for arbitrary (non-projective) mini-schemes, for the simple reason 
that we can always create a mini-scheme where Ver accepts any state with some small nonzero 
probability e. We leave it as an open problem to find the largest class of mini-schemes for which 
Theorem [15] holds. 

3.3 The Standard Construction 

Following Lutomirski et al. [31] and Farhi et al. [23], we can now define a "standard construction" 
of public-key quantum money schemes from mini-schemes and digital signature schemes. Given 
a mini-scheme Ai = (Bank_A/(, Ver^), and a signature V = (KeyGen-p, Sign-p, Ver^)), we define the 
quantum money scheme S = (KeyGen^, Bank^, Ver^) as follows: 

• KeyGen^ is simply KeyGen-p from the digital signature scheme. 
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• Bank^ first calls Bank_^ from the mini-scheme to obtain a banknote {s,p). It then outputs 
{s,p) together with a digital signature of the serial number s: 

Banks (Vivate) := (s, Sign^, (/^private, s) ,p) . 

• Ver^ accepts an alleged banknote {s,w,a), if and only if Ver^ {s,(^) and Verx) {kpuhiic,s,w) 
both accept. 

We now prove the above construction's security. 

Theorem 16 (Security of the Standard Construction). Suppose Ai is a secure mini-scheme, andV 
is a digital signature schem,e secure against quantum chosen-message attacks. Then S is a secure 
public-key quantum, money scheme. 

Proof. The intuition behind the proof is extremely simple: by requiring digital signatures for the 
serial numbers, we can force a counterfeiter to copy one of its existing banknotes, rather than 
creating a new banknote with a new serial number. In this way, we force the counterfeiter to break 
the underlying mini-scheme Ai, rather than doing an "end run" around A4. 

To formalize this intuition, suppose there exists a counterfeiter Cs against S: that is, a 
polynomial-time quantum algorithm such that 

Pr [Count (/cpubiic, Cs (A:pubiic, $i, • • • , $g)) > q] > — j^- 

Here $i := {si,Wi,pi) is a valid banknote. Count is the money counter from Definition [TTl and p is 
some polynomial. Also, the probability is over the key pair (^private, ^public), the valid banknotes 
$1, . . . , $g, and the behavior of Count and Cs. Suppose further that T> is secure. Then it suffices to 
show that, by using Cs, we can construct a counterfeiter Cm against the underlying mini-scheme 
M. 

Let New (A;pubiic5 $!)•••, $<j) be an algorithm that does the following: 

(1) Records the serial numbers si, . . . ,Sq of $i, . . . , $g, and lets U := {si, . . . , Sg}. 

(2) Runs Cs (^pubiici Sii • • • 5 $(j)i and examines the output states ^^, . . . , ^,^. 

(3) Returns the number of i E [r] such that Ver^ (j^^) accepts, and ^^s serial number s[ does not 
belong to U. 

Then we claim that Pr [New (fcpubUci $!)•••) Sg) > 0] is negligibly small, where the probability is 
over the same variables as before. The proof is simply that, if this were not so, then we could easily 
create a counterfeiter C© against the digital signature scheme P. With non-negligible probability, 
Cx> would generate a valid signature Sign-p (A;private, s'j), for a message s'^ for which Cx> had never 
before seen a valid signature, by running C5 (/cpubUo $!)••• i $g)i then measuring j?f^ = {.s[,w^,p'^) 
for a uniformly random i G [r]. (Note that Cx> can generate q money states $1, . . . , $g, without 
knowledge of fcprivato by generating the Sj's and pi's on its own, then calling the signing oracle O 
to get the Wi^s.) 

But now we can define a counterfeiter Cm against the mini-scheme M, which works as follows: 



(i) Run KeyGenx, (0''), to generate a new key pair i^k'^.-^^t^, fcp^bii. 
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(ii) Label the banknote to be copied {si,pe), for some £ € [q] chosen uniformly at random. 

(iii) Repeatedly call Bank_A/( (0") to generate q — 1 serial numbers and quantum money states, 
labeled {si,pi) for all i G [g] \ {£}. Let U := {si, . . . , Sq}. 

(iv) Generate a digital signature Wi := Sign-p ( ^private ' ■^0 f°^ each i G [q]. Let $j := {si,Wi,pi). 

(v) Run the counterfeiter C5 (/cpubUo $ii • • • ) $g)) to obtain r > q alleged banknotes i^^,...,^^ 
where i^j = (s'j, w'j , p'j 



(vi) Choose j,k G [r] uniformly at random without replacement, and output \p'j,p'f.] as a candi- 
date for two copies of pi. 

Suppose that Count > q, as happens with probability at least -7^. Also suppose that New = 0, 
as happens all but a negligible fraction of the time. Then by the pigeonhole principle, there must 
exist indices j y^ k such that s'- = s'^. With probability at least 1/(2)) the counterfeiter Cm will 
find such a (j, k) pair. Therefore Cm succeeds with overall probability Q, (1/ poly (n)). D 

Theorem [16] reduces the construction of a public-key quantum money scheme to two "smaller" 
problems: constructing a mini-scheme, and constructing a signature scheme secure against quan- 
tum attacks. In practice, however, the situation is even better, since in this paper, all of our 
constructions of mini-schemes will also yield signature schemes "free of charge" ! The following 
proposition explains why: 

Proposition 17. // there exists a secure, secret-based mini-scheme Ai, then there also exists a 
secure public-key quantum money scheme S. 

Proof. Starting from Ai, we can get a one-way function secure against quantum attack from Propo- 
sition [m and hence a digital signature scheme V secure against quantum chosen-message attack 
from Theorem [21 Combining Ai and D now yields S by Theorem 1161 D 

Finally, let us make explicit what Theorem [T6l means for oracle construction. 

Corollary 18. Suppose there exists a mini-scheme Ai that is provably secure relative to some 
oracle Am (i-e., any counterfeiter Cm against 7W must make superpolynomially many queries to 
Am)- Then there exists a public-key quantum money scheme S that is provably secure relative to 
some other oracle As- 

Proof. By Theorem [3l relative to a suitable oracle Ajy (in fact, a random oracle suffices), there 
exists a signature scheme P, such that any quantum chosen-message attack against T) must make 
superpolynomially many queries to Ajy. The oracle As will simply be a concatenation of Am with 
Axi. Relative to As, we claim that the mini-scheme A1 and signature scheme P are both secure — 
and therefore, by Theorem 1161 we can construct a secure public-key quantum money scheme S. 

The only worry is that a counterfeiter Cm against A^ might gain some advantage by querying 
Ax>; or conversely, a counterfeiter Cx> against V might gain some advantage by querying Am- 
However, this worry is illusory, for the simple reason that the oracles Ax> and Am are generated 
independently. Thus, if Cm can break A^ by querying Aj), then it can also break A^ by querying 
a randomly-generated "mock-up" A^ of Aj) ; and conversely, if C-d can break V by querying Am , 
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then it can also break V by querying a randomly-generated mock-up A'j^ of Aj^. Regardless of 
the computational cost of generating these mock-ups, they give us a break against T) ox Ad that 
makes only poly (n) oracle queries, thereby giving the desired contradiction. D 

4 Inner-Product Adversary Method 

At least in the black-box setting, our goal is to create quantum money (mini-)schemes that we 
can prove are secure — by showing that any counterfeiter would need to make exponentially many 
queries to some oracle. Proving security results of this kind turns out to require interesting quantum 
lower bound machinery. In this section, we introduce the inner-product adversary method, a new 
variant of Ambainis's quantum adversary method [8J that is well-adapted to proving the security 
of quantum money schemes, and that seems likely to find other applications. 

Let us explain the difficulty we need to overcome. In a public-key quantum money scheme, a 
counterfeiter C has two powerful resources available: 

(1) One or more copies of a "legitimate" quantum money state \ip). 

(2) Access to a verification procedure V , which accepts |^) and rejects every state orthogonal to 



Indeed, for us, the situation is even better for C (i.e., worse for us!), since C can query not only 
the verification procedure V itself, but also an underlying classical oracle U that the legitimate 
buyers and sellers use to implement V . But let us ignore that issue for now. 

As a first step, of course, we should understand how to rule out counterfeiting given (1) or (2) 
separately. If C has a copy of |^), but no oracle access to V , then the impossibility of preparing 
\ij)) \il)) essentially amounts to the No-Cloning Theorem. Conversely, if C has oracle access to V , 
but no copy of |^), then given unlimited time, C can prepare as many copies of IV') as it wants, by 
using Grover's algorithm to search for a quantum state that V accepts. The problem is "merely" 
that, if \iIj) has n qubits, then Grover's algorithm requires B (2"'^) iterations, and the BBBV hybrid 
argument p2] shows that Grover's algorithm is optimal. 

What we need, then, is a theorem showing that any counterfeiter needs exponentially many 
queries to V to prepare If/') IV'); even if the counterfeiter has a copy of IV') to start with. Such 
a theorem would contain both the No-Cloning Theorem and the BBBV hybrid argument as spe- 
cial cases. Aaronson [3j called the desired generalization the Complexity-Theoretic No- Cloning 
Theorem, and sketched a proof of it using Ambainis's adversary method. Based on that result, 
Aaronson also argued that there exists a quantum oracle (i.e., a black-box unitary transformation 
V) relative to which secure public-key quantum money is possible. However, the details were never 
published. 

In this section, we prove a result — Theorem [20] — that is much more general than Aaronson's 
previous Complexity-Theoretic No-Cloning Theorem [3j. Then, in Section [5l we apply Theorem 
[20] to prove the security of public-key quantum money relative to a classical oracle. In Appendix 
[To] we also apply Theorem 1201 to prove the "original" Complexity-Theoretic No-Cloning Theorem 
[^, which involves Haar-random n-qubit states \ip), rather than superpositions \A) over subspaces 



A<F?li6l 



For whatever it is worth, we get a lower bound of Q. ( 2" " ) on the number of queries needed to copy a Haar-random 
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4.1 Idea of Method 

So, what is the inner-product adversary method? In Ambainis's adversary method [8] — like in the 
BBBV hybrid argument [12] from which it evolved — the basic idea is to upper-bound how much 
"progress" a quantum algorithm Q can make at distinguishing pairs of oracles, as the result of a 
single query. Let |^( ) be Q's state after t queries, assuming that the oracle is U. Then normally, 
before any queries have been made, we can assume that I'^q) = ^o') ^°^ ^^^ oracles U and V. 
By contrast, after the final query T, for all oracle pairs {U,V) that Q is trying to distinguish, we 
must have (say) K^^l^^n) < 1/2. Thus, if we can show that the inner product k^^|^j M can 
decrease by at most e as the result of a single query, then it follows that Q must make Q, (l/e) 
queries. 

But when we try to apply the above framework to quantum money, we run into serious diffi- 
culties. Most obviously, it is no longer true that j^o ) = j^o ) ^°^ ^^^ oracles U,V. Indeed, before 
Q makes even a single query to its oracle V, it already has a great deal of information about V, in 
the form of a legitimate money state {ip) that V accepts. The task is "merely" to prepare a second 
copy of a state that Q already has! Worse yet, once we fix two oracles U and V, we find that Q 
generally can exploit the "head start" provided by its initial state to decrease the inner product 
K^j^l^l^)! by a constant amount, by making just a single query to C^ or y respectively. 

Our solution is as follows. We first carefully choose a distribution D over oracle pairs {U,V). 
We then analyze how much the expected inner product 

E [M\0\] 

{U,V)~V L'^ ''^ 

can decrease as the result of a single query to L'^ or y. We will find that, even if Q can substantially 
decrease the inner product between |^[^) and I'^Y) for some {U, V) pairs by making a single query, 
it cannot do so for most pairs. 

To illustrate, let IV') and \ip) be two possible quantum money states, which satisfy (say) {'4>\(p) = 
1/2. Then if a counterfeiting algorithm succeeds perfectly, it must map IV') to \il)) , and I93) to 
\ip) . Since 

this means that the counterfeiter must decrease the corresponding inner product by at least 1/4. 
However, we will show that the average inner product can decrease by at most l/exp(n) as the 
result of a single query. From this it will follow that the counterfeiter needs to make 2^"-' queries. 
Let us mention that today, there are several "sophisticated" versions of the quantum adversary 
method [HI [28], which can yield lower bounds for quantum state generation tasks not unlike the 
ones we consider. However, a drawback of these methods is that they are extremely hard to 
apply to concrete problems: doing so typically requires eigenvalue bounds, and often the use of 
representation theory. For this reason, even if one of the "sophisticated" adversary methods (or 
a variant thereof) could be applied to the quantum money problem, our approach might still be 
preferable. 



state, which is quadratically better than the Q, { 2"' ^ ) that we get for subspace states. 
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4.2 The Method 

We now introduce the inner-product adversary method. Let O be a set of quantum oracles acting 
on n qubits each. For each U € O, assume there exists a subspace Sjj < C^ such that 

(i) [/ 1 V) = - IV') for all \ip) G Su, and 
(ii) U\r]) = \r]) for all |??) G S^. 

Let R C O X O he a symmetric binary relation on O, with the properties that 

(i) {U, U)iR for all U eO, and 
(ii) for every U £ O there exists aV £ O such that {U, V) € R. 

Suppose that for all U € O and all \r]) G S^, we have 



E 

V : (u,v)eR 



Fi\v),Sv? 



<e, 



where F {\ri) ,Sv) = max|^^g5^ K'?!^)! is the fidelity between \ri) and Sy- Let Q be a quantum 
oracle algorithm, and let Q denote Q run with the oracle U ^ O. Suppose Q begins in the state 
l^o') (possibly already dependent on U). Let |^i^) denote the state of Q^ immediately after the 
t^^ query. Also, define a progress measure pt by 

^ U,V : {U,V)&R^^^ * ' * /'J 

The following lemma bounds how much pt can decrease as the result of a single query. 
Lemma 19 (Bound on Progress Rate). 

Pt >Pt-i- ^\fe- 

Proof. Let \^]^) denote the state of Q^ immediately before the t*^ query. Then for all t, it is 
clear that ('J'^j'^J'^) = (^i_i|^J_i): in other words, the unitary transformations that Q performs 
in between query steps have no effect on the inner products. So to prove the lemma, it suffices to 
show the following inequality: 

Let {|^)}jgfBi be an arbitrary orthonormal basis for Q's workspace register. Then we can write 

ie[B] 
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where 



G S^ and 



^t,i/ ^ ^(7 



ipti) G St/. (By normalization, 



Pt,i 


2 
+ 


lt,i 


2 


«^. 



A query 



transforms the above state to 
So for ah U,V eO, 

<$f i^r> - <*f i^r> = E (^M «.i +7^:. «.i) {^i m+ii i<.» 

iG[B] 

- E (^?^ <^mI - 7^:. m) {€ K.) - 7^. i<^» 

i6[B] 

By Cauchy-Schwarz, the above imphes that 

K$[^|$r>| - K^f l^r>| < 2max|(r?[fjV']:.>| +2max|(V'i;,k];,>| . 

Now fix U £ O and i € [i?]. Then again applying Cauchy-Schwarz, 



E [M^\i^Y^)\]<\ E 




< W E 
y y : (t/,V)eR 



max 



VtM 



Hence 



as well, and likewise 



U,V : {U,V)€R^^^ /t,*ivM/ 



<Ve 



by symmetry. Putting everything together. 



< 2 E 

U,V : {U,V)&R 



Mi.iy 



max (r/[^j|Vt j 



+ 2 E 

uy : {uy)eR 



max I (V'fj I r?i^j) I 



This proves inequality (*) and hence the lemma. D 

From Lemma [19] we immediately deduce the following. 

Theorem 20 (Inner-Product Adversary Method). Suppose that initially |(^o l^o )| — '^ S^^ ^^^ 
(f7, y) G R, whereas by the end we need K^^^I^t)! — '^ /'''" ^^^ {U,V) G R- Then Q must make 
T = Q, i ^—1^ \ oracle queries. 
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5 Classical Oracle Scheme 

In this section, we construct a mini-scheme, called the Hidden Subspace Mini-Scheme, that requires 
only a classical oracle. We then use the inner-product adversary method from Section U] to show 
that our mini-scheme is secure — indeed, that any counterfeiter must make il (2"' ^) queries to 
copy a banknote. By the results of Sections 13.31 and 12.11 our mini-scheme will automatically 
imply a full-blown public-key quantum money scheme, which requires only a classical oracle and is 
unconditionally secure. 

5.1 The Hidden Subspace Mini-Scheme 

We identify n-bit strings x £ {0, 1}" with elements of the vector space Fg in the standard way. 
Then in our mini-scheme, each n-qubit money state will have the form 

\A):- 




where A is some randomly-chosen subspace of Fg (i.e., a set of codewords of a linear code), with 
dim^ = n/2. Let A be the orthogonal complement of A, so that dim A = n/2 as well. Notice 
that we can transform \A) to l^"*") and vice versa by simply applying Hf"': a Hadamard gate on 
each of the n qubits, or equivalently a quantum Fourier transform over Fg . 

The basic idea of the mini-scheme is as follows: the bank can easily prepare the quantum money 
state 1^), starting from a classical description (A) of A (e.g., a list of n/2 generators). The bank 
distributes the state \A), but keeps the classical description (A) secret. Along with \A) itself, the 
bank also publishes details of how to verify \A) by querying two classical oracles, Ua and C/^i. 
The first oracle, Ua, decides membership in A: for all n-qubit basis states \x), 

\ \x) otherwise 

The second oracle, U^^ , decides membership in A in the same way. 

Using Ua, it is easy to implement a projector Fa onto the set of basis states in A. To do so, 
simply initialize a control qubit to |+) = 1 , then apply Ua conditioned on the control qubit 
being in state |1), then measure the control qubit in the {|+) , |— )} basis, and postselect on getting 
the outcome |— ). Likewise, using C/^x, it is easy to implement a projector P^± onto the set of 
basis states in A . Then Va, the public verification algorithm for the money state |^), will simply 
consist of ¥a, then a Fourier transform, then P^x, and finally a second Fourier transform to return 
the legitimate money state back to \A): 

Va := i/2®"P^xFf"PA. 

We show in Lemma 1211 that Va is just a projector onto |^). This means, in particular, that 
Va|^) = 1^); and that Va accepts an arbitrary state IV') with probability |(-(/'|^)| . Thus, our 
mini-scheme is projective and has perfect completeness. 

But what about security? Intuitively, a counterfeiter could query Ua or Ua± to find a generating 
set for A or A — but that would require an exponentially-long Grover search, since |^| = \A \ = 
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2"-/2 ^ 2". Alternatively, the counterfeiter could measure \A) in the standard or Hadamard bases — 
but that would reveal just one random element of A or A . Neither ability seems useful for copying 
\A), let alone recovering a full classical description of ^O 

And indeed, using the inner-product adversary method plus some other tools, we will prove the 
following tight lower bound (Theorem [25]): even if given a single copy of |A), as well as oracle access 
to Ua and 11^^ , a counterfeiter still needs Q (e2"'/^) queries to prepare a state that has fidelity e 
with 1^) . This will imply that our mini-scheme has 1/exp (n) soundness error. 

5.2 Formal Specification 

We are not quite done, since we never explained how the bank provides access to Ua and Ua-l- 
Thus, in our "final" mini-scheme A4 = (Bank^,Ver_A4), the bank, verifier, and counterfeiter will 
all have access to a single classical oracle U, which consists of four components: 

• A banknote generator Q (r), which takes as input a random string r S {0, 1}", and outputs 
a set of linearly independent generators {Ar) = {xi, . . . ,Xn/2} for a subspace Ar < Fj, as 
well as a unique 3n-bit serial number Sr G {0, 1} ". The function Q is chosen uniformly at 
random, subject to the constraint that the serial numbers are all distinct cj 

• A serial number checker Ti (s), which outputs 1 if s = s,. is a valid serial number for some 
(Ar), and otherwise. 

• A primal subspace tester T^rimah which takes an input of the form \s) \x), applies Ua^ to 
|x) if s = Sr- is a valid serial number for some (A^), and does nothing otherwise. 

• A dual subspace tester Tduai, identical to T^rimai except that it applies Ua^ instead of UAr- 
Then M = (Bank^v;, Ver^) is defined as follows: 

• Bank_A4 (0") chooses r G {0,1}"' uniformly at random. It then looks up G {r) = {sr,{Ar)), 
and outputs the banknote \$r) = \sr) \Ar)- 

• Ver_^ (^) first uses 7i to check that ^ has the form (s, p), where s = Sj. is a valid serial number. 
If so, then it uses T^rimai and Tduai to apply Va^ = -fff'^P^x -fff'^PAj. > and accepts if and only 
if Va^ (p) accepts. 

5.3 Analysis 

We now analyze the mini-scheme defined in Sections 15.11 and 15. 2i For convenience, we assume for 
most of the proof that the subspace A < Fg is fixed, and that the counterfeiter (who does not know 
A) only has access to the oracles Ua and Ua-l ■ Then, at the end, we will explain how to generalize 
the conclusions to the "final" mini-scheme Ai. 



^^Obviously, if the counterfeiter had Q,{n) copies of \A), then it could recover a generating set for A, by simply 
measuring each copy independently in the standard basis. That is why, in our full quantum money scheme, the 
counterfeiter will not have fl{n) copies of \A). Instead, each banknote will involve a completely different subspace 
As < F2 (parameterized by its unique serial number s), so that measuring one banknote reveals nothing about the 
others. 

^*Note that one can implement Q using an ordinary random oracle. In that case, the requirement that the serial 
numbers are distinct will be satisfied with probability 1 — O (2~") . 
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It will be convenient to consider the subset A* C {0, 1}" , defined by 

A* := {0,A)U{1,A^). 

Let Sa* be the subspace of C^ that is spanned by basis states |x) such that x G A*. Then we can 
think of the pair of oracles (Ua, Ua±) as being a single oracle Ua*, which satisfies Ua* IV') = ~ IV') fo^ 
all \ip) G Sa*, and Ua* If]) = |^) for all \rj) G S*^, (where here _L means the orthogonal complement 
in C^ , not the orthogonal complement in F2!). 
Recall the definition of the verifier Va'- 

Va := Ff"P^xFf"PA, 

where Fa and F^± denote projective measurements that accept a basis state |x) if and only if x 
belongs to A or A respectively. The following lemma shows that Va "works," and indeed that it 
gives us a projective mini-scheme. 

Lemma 21. Va = \A) {A\ is simply a projector onto \A). So in particular, Pr [Va H'lp)) accepts] = 
MA)\'. 

Proof. It suffices to show that Va |^) = \A) and that Va |V') = for all \ip) orthogonal to \A). 
First, 

Va\A) = Hf'^FA^Hf'FA \A) 
= Hf'^¥A±Hf''\A) 

= Hf''VA±\A^) 
= Hf^'lA^) 
= \A). 

Second, if {ip\A) = then we can write 



xe2" 



where YlxeA '^^ ~ *-*• Then 



Va li') = Ff "P^xFf "Pa Y1 ^- 1^) 

x£A 

xgA V-Lx 



^ yeA^ xeA 

0. 



28 



D 



We now show that perfect counterfeiting requires exponentially many queries to Ua*. 

Theorem 22 (Lower Bound for Perfect Counterfeiting). Given one copy of\A), as well as oracle 
access to Ua*, a counterfeiter needs Q, (2"'^) queries to prepare \A) with certainty (for a worst- 
case \A)). 

Proof. We will apply Theorem [20l Let the set O contain Ua* for every possible subspace ^4 < Fg 
with dim A = n/2. Also, put {Ua*,Ub*) S i? if and only if dim {Ar\B) = n/2 - 1. Then given 
Ua* eO and It?) G 5;^,, let 

x6{0,l}"+^\A* 



We have 



E 
Ub* ■■ {Ua*,Ub*)&R 



F{\7]),Sb* 



E 

B : dim(_B)=n/2,dim(AnB)=n/2-l 



E 

xeB'XA* 



I |2 



< max Pr [x G B*] 

xe{0,l}"+^\A* \B : dim(_B)=n/2,dim{AnB)=n/2-l 



max ( Pr [x G B] 

xe{0,l}"\A V^ ■■ dim(B)=n/2,dim(AnB)=n/2-l 



\B\A\ 



< 



i{o,ir\^i 

2n/2-l 

2" - 2"/2 
1 



(for dim (B) = n/2, dim {AnB) = n/2 - 1) 



2"/2' 

Here the first line uses the definition of fidelity, the second line uses the easy direction of the 
minimax theorem, the third line uses the symmetry between A and A-^, and the fourth line uses 
the symmetry among all 2" — 2"'^ strings x G {0, l}" \ A. The conclusion is that we can set 
e ■= i-'^l'^. 

Fix (JJa*,Ub*) G R. Then |(yl|i?)| = 1/2. On the other hand, if the counterfeiter suc- 
ceeds, it must map \A) to some state |/a) := |^) |^) jgarbage^^), and \B) to some state |/b) := 
\B) \B) Igarbage^). Therefore K/aI/b)! < 1/4. So setting c = 1/2 and d = 1/4, Theorem [io] tells 
us that the counterfeiter must make 

n ('-^] = n (2-1' 



queries to Ua* ■ □ 

A simple modification to the proof of Theorem [22] shows that even to counterfeit money almost 
perfectly, one still needs exponentially many queries to Ua*- 

Corollary 23 (Lower Bound for Small-Error Counterfeiting). Given one copy of \A), as well 
as oracle access to Ua* , a counterfeiter needs il (2"'' ^) queries to prepare a state p such that 
{Af^ p\A)®'^ > 0.9999 (for a worst-case \A)). 
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Proof. Let |(A|i?)| = c, and let e = 0.0001. If the counterfeiter succeeds, it must map \A) to some 
state PA, and \B) to some state pB, such that (^| pA \A) and {B\ pB \B) are both at least 
1 — e. So letting |/^) and |/b) be purifications of /j^ and pB respectively, we have 



\{fA\fB)\<F{pA,PB) 


< 


{A\'^^\Bf^ 


= 


,' + 2e'/' 



+ 



26^^ 



where the second line follows from Lemma [5j So setting d := c^ + 2e^'^, Theorem 1201 tells us that 
the counterfeiter must make 

c — c^ 



n 



.2 _ 2gl/4 



V2-"/2 J 

queries to Ua*- Fixing c := 1/2, the above is il (2"/'^). D 

Since the verifier Va is projective, we can now combine Corollary 1231 with Theorem [15] to obtain 
the following "amplified" lower bound. 

Corollary 24 (Lower Bound for High-Error Counterfeiting). Let 1/e = a (2"' 2). Given one copy 
of\A), as well as oracle access to Ua* , a counterfeiter needs Q, (-^2"'^) queries to prepare a state 
p such that {A\ p\A) > e (for a worst-case \A)). 

Proof. Suppose we have a counterfeiter C that makes o[^/e2"^'^) queries to Ua*, and prepares a 
state a such that {A\^'^ a\A)'^^ > e. Let 6 := 0.00001. Then by Theorem [IS there exists an 
amplified counterfeiter C that makes 

v^/i(v^+<52); y^e 

calls to C and Va, and that prepares a state p such that {A\ p \A) > 1 — 6. Now, counting the 
o (y^2"'^) queries from each C invocation and O (1) queries from each Va invocation, the total 
number of queries that C" makes to Ua* is 



(^2"/^) + O (1)] • O (^^ = o (2"/4 



But this contradicts Corollarv 1231 D 

So far, we have only made statements about the worst case for a would-be counterfeiter. But 
such guarantees are clearly not enough: it could be that most money states |^) are easy to duplicate, 
without contradicting any of the results we have seen so far. 

We will show that the problem faced by a counterfeiter is random self-reducible: if a counterfeiter 
could duplicate a uniformly-random money state |^), then it could duplicate any \A). Thus the 
bank can ensure security by creating uniformly-random money states. 

In what follows, let S be the set of all subspaces A < Fg such that dimyl = n/2. Also, let 
Vf = {\A) {A\f^ be the projector onto \A)^^. 
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Theorem 25 (Lower Bound for Average-Case Counterfeiting). Let A < ¥2 be a uniformly-random 
element of S. Then given one copy of\A), as well as oracle access to Ua*, cl counterfeiter C needs 
il (-y/e2"'^) queries to prepare a 2n-qubit state p that V^ accepts with probability at least e, for all 
1/e = o (2"' ^) . Here the probability is taken over the choice of A & S, as well as the behavior of 
C andV^'^. 

Proof. Suppose we had a counterfeiter C that violated the above. Using C as a black box, we will 
show how to construct a new counterfeiter C that violates Corollary [24l 

Given a (deterministically-chosen) money state \A) and oracle access to Ua*, first choose an 
invertible linear map / : F2 — )• Fg uniformly at random. Then f (A), the image of A under /, 
is a uniformly-random element of S. Furthermore, the state \A) can be transformed into \f (A)) 
straightforwardly, the oracle f^/(A) can be simulated by composing / with Ua, and the oracle U,,^^± 
can likewise be simulated by composing f^'^ with Ua (where f~^ denotes the inverse transpose 
of /). So by using the counterfeiter C for uniformly-random states, we can produce a state pf 
that V?,^. accepts with probability at least e. By applying f~^ to both registers of pf, we can 

then obtain a state p that V^ accepts with probability at least e, thereby contradicting Corollary 
M □ 

We are now ready to prove security for the "final" mini-scheme Ai defined in Section 15.21 

Theorem 26 (Security of Mini-Scheme) . The mini-scheme Ai = (Bank^, Ver^n), which is defined 
relative to the classical oracle U, has perfect completeness and l/exp(n) soundness error. 

Proof. That Ai has perfect completeness follows from its definition and from Lemma [2T1 That 
Ai has l/exp(n) soundness error essentially follows from Theorem 1251 We only need to show 
that, given a banknote of the form 1$^) = \sr) \Ar), a polynomial-time counterfeiter C can gain no 
additional advantage by querying the "full" oracles ^,?^, T^rimahTdual) beyond what it gains from 

querying Ua* = (t^A,, f^A,+ )- 

Let r E {0,1}" be the random string chosen by the bank, so that G (r) = {sr,{Ar)). Then 
observe that, even conditioned on Sr and Ar, as well as complete descriptions of T^rimahTduai, 
and Ti, the string r remains uniformly random. Nor can querying G (r') for r' ^ r reveal any 
information about r, since the values of Q are generated independently. So suppose we modify Q 
by setting Q (r) := (s', {A')), for some new 3re-bit serial number s' and list of generators {A') chosen 
uniformly at random. Then the BBBV hybrid argument [12j tells us that, in expectation over r, 
this can alter the final state output by the counterfeiter C (1$,.)) by at most poly (n) /2"'^ in trace 
distance. So in particular, if C succeeded with non-negligible probability before, then C must still 
succeed with non-negligible probability after we set Q (r) := (s', {A')). 

However, once we make this modification, an adversary trying to counterfeit \A) given Ua and 
Uai- can easily "mock up" a serial number s, as well as the oracles ^,'H,7^rimai and Tduab for 
itself. For s, Q, and % are now drawn from a distribution completely independent of A. The 
oracles T^rimai and Tduai are likewise independent of A, except that T^rimai \s)\v) = \s) Ua \v) and 
Tdua\\s)\v) = \s)Ua^\v) — behaviors that an adversary can easily simulate using Ua and Ua^-, 
together with its knowledge of s. Just like in Corollary 1181 since our security guarantees are query 
complexity bounds, we do not care about the computational complexity of creating the mock-ups. 

By using the mock-ups, one can convert any successful attack on A^ into successful counterfeiting 
of 1^), given oracle access to Ua and Uai- only. But the latter contradicts Theorem [25l D 
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Finally, using Theorem [26] together with Corollary [TSl we can obtain a secure public-key quan- 
tum money scheme, relative to a classical oracle. 

Theorem 27 (Security of Hidden Subspace Money). By combining the mini-scheme Ai with 
a digital signature scheme, it is possible to construct a public-key quantum money scheme S = 
(KeyGen^, Bank^, Ver^), defined relative to some classical oracle U' , which has perfect completeness 
and l/exp(n) soundness error. 

6 Explicit Quantum Money Scheme 

We have shown how to construct a provably-secure public-key quantum money scheme, when an 
appropriate classical oracle is available. In this section, we propose a way to obtain the same 
functionality without an oracle. The key challenge is this: 

Given a subspace A < Fg, how can a bank distribute an "obfuscated program" Pa, which 
legitimate buyers and sellers can use to decide membership in both A and A-'-, but which 
does not reveal anything else about A that might facilitate counterfeiting? 

Note that, aside from the detail that we need security against quantum adversaries, the above 
challenge is purely "classical"; it and its variants seem interesting even apart from our quantum 
money application. 

We will suggest a candidate protocol to achieve the challenge, based on multivariate polynomial 
cryptography. Given a collection pi, ■ ■ ■ ,Pm : Fg — ?■ F2 of multivariate polynomials over F2, it is 
generally hard to find a point ti G F2 on which all of the pj's vanish. On the other hand, it is 
easy to check whether a particular point v has that property. To "hide" a subspace A, we will 
provide uniformly-random low-degree polynomials pi, . . . ,Pm that vanish on each point of A. This 
information is sufficient to decide membership in A. On the other hand, there is no known efficient 
algorithm to find A given the polynomials, and current techniques seem unlikely to yield even a 
quantum algorithm. 

We can also introduce a constant fraction of noise into our scheme without interfering with its 
completeness. In other words, if only (1 — e) m of the polynomials pi, . . . ,pm are chosen to vanish 
on A, and the remaining em are random, then counting the number of pj's that vanish at a point 
V still suffices to determine whether v £ A. Although we know of no attack even against our 
noise-free scheme, adding noise in this way might improve security. 

Crucially, we will state a "classical" conjecture about the security of multivariate polynomial 
cryptography, and show that the conjecture implies the security of our explicit money scheme. 
For the benefit of cryptographers, let us now state an "abstract" version of our conjecture, which 
implies what we need, and which might hold even if our concrete conjecture about multivariate 
polynomials fails. 



Conjecture 28 (Subspace-Hiding Conjecture, Sufficient for Quantum Money). There exists a 
polynomial-time algorithm that takes as input a description of a uniformly-random subspace A < F2 
with dim {A) = n/2, and that outputs circuits Ca and C^x, such that the following holds. 

(i) Ca {v) decides whether v £ A, and Ca-l (v) decides whether v E A-^ , for all t; S F2 . 

(a) Given descriptions of Ca and Ca-l , no polynomial-time quantum algorithm can find a gener- 
ating set for A with success probability Q (2^"' ^) . 
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Later, Conjecture [331 will specialize Conjecture [28] to the setting of multivariate polynomials. 

6.1 Useful Facts About Polynomials 

By viewing elements of Fg as n-tuples (xi, . . . , x^), we can evaluate a polynomial p (xi, . . . , x„) on 
points of F2 . 

Given a subspace j4 < Fg and a positive integer d, let Id, A be the set of degree-d polynomials 
(not necessarily homogeneous) that vanish on A. Since we are working over F2, note that x? = Xj, 
so it suffices to consider multilinear polynomials (in which no Xj is ever raised to a higher power 
than 1). 

Before presenting our scheme, we need to establish some basic properties of polynomials over 
F2 . First, we observe that the set of polynomials does not depend on the choice of basis. 

Proposition 29. Let L be any invertihle linear transformation on Fg. Then the map p{v) 1— )• 
p{Lv) defines a permutation on the set of degree-d polynomials, which maps Id,A to X^^-i^. 

Implementing our scheme will require sampling uniformly from Id, A, which the next lemma 
shows is possible. 

Lemma 30. It is possible to sample a uniformly-random element of Id, a in time 0{n ). 

Proof. By Proposition [29l we can instead sample from the space of polynomials which vanish on 
span (xi, . . . ,x„/2)) and then apply an appropriate change of basis to obtain a sample from Id,A- 
So assume without loss of generality that A = span (xi, . . . , x„/2) • 

We claim that a polynomial p vanishes on A if and only if every monomial of p intersects 
|x„/2+i, . . . ,x„}. This will immediately give an O (n )-time sampling algorithm, because we can 
consider each of the O (n°') degree-d monomials in turn, and include each one independently with 
probability 1/2 if it intersects {x„/2+i> • • • ) Xn]. 

To prove the claim: first, if every monomial intersects {x„/2+i, . . . , x^}, then clearly p vanishes 
on A. Otherwise, let m be a minimal monomial that does not intersect {x„/2+i, . . . , x„}. Consider 
the vector v = {vi, . . . ,Vn) with t;j = 1 if and only if Xj G m. Since ni does not intersect 
{^n/2+i! ■ ■ ■ iXn\, clearly v £ A. Also, since m is minimal, every other monomial must evaluate to 
on V. Thus p{v) = m (v) = 1, so p is not identically zero on A. D 

In addition to sampling polynomials that vanish on A, we would like to guarantee that a 
sufficiently large system of such polynomials uniquely determines the space A, so that such a 
system can be effectively used as a membership oracle. 

Lemma 31. Fix ^ < Fg and /3 > 1, and choose f3n polynomials pi, ■ ■ ■ ^ppn uniformly and inde- 
pendently from Id,A- Let Z be the set o/f G Fg such that pi {y) = for all i G [/3n]. Then A O Z, 
andPT[Z = A] ='l-2-^("). 

Proof. A <Z Z is clear. For the probabilistic part, fix a point v ^ A. Then by the union bound, it 
suffices to show that Pr [v £ Z] < c~" for some c > 2. 

There must be some w G A such that w -v = 1. Then the map p {v) f-^ p {v) -\- w ■ v defines an 
involution of Id. A, such that exactly one of p (v) and p(v) -\- w ■ v is zero. This means that exactly 
half of the polynomials in Id, a vanish at v. Hence 

Pr [pi {v) = ---= pp^ {v) = 0] = 2-P^ 

and we are done. D 
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As mentioned earlier, we would also like to allow sampling from noisy systems of equations, 
defined as follows: let TZd,A,m,e be the probability distribution over m-tuples (pi, . . . ,Pm) that sets 
exactly (1 — e) m, of the polynomials pi (chosen uniformly at random) to be uniformly-random 
samples from Id, A, and that sets the remaining em of the polynomials pi to be uniformly-random 
samples from Id,A'y for a uniformly-random subspace A' < Fg of dimension dim(j4). (Note that 
a different A' is chosen for every such pi.) Then using a Chernoff bound, it is not hard to show 
that, provided m is large enough compared to n, a sample from TZd,A,m,e o,^so uniquely defines the 
subspace A with overwhelming probability. 

Lemma 32. Fix A < Fg and e < 1/2, let j3 > t, ^2 , and choose polynomials pi, ■ ■ ■ ,ppn from 

Tid,A,i3n,€- Let w (v) := Yli=iPi (^)' '^'^d let Z be the set o/ w G Fg such that w (v) < ej3n. Then 
Ac'z,' andFv[Z = A] = l-2-^("). 

Proof. Again, A <^ Z is clear. For the probabilistic part, fix v ^ A. Then by the union bound, it 
suffices to show that Pr [v £ Z] < a~" for some a < 1/2. 

Observe that u is a zero of little more than half the polynomials pi, ■ ■ ■ ,Pi3n- If Pi was chosen 
to vanish on A, then E \pi (v)] = 1/2, by the argument of Lemma [3T1 If pi was chosen to vanish 
on a uniformly-random A', then 

E [p^ (v)] > ^ - Pr [^; G A'] 
1 1 



2 2"/2 ■ 

Hence 

/I 1 

E bi (^') + • • • + P/3n (v)] > /3n ( - - ^^ 

Furthermore, the pj's are chosen independently, up to an irrelevant ordering. Choose 6 = 1 — 2e 
to satisfy 2 (1 — f^) = £• Then by a Chernoff bound. 



Pr [v£ Z]= Pr [pi (v) + ■ ■ ■ +ppn {v) < e/3^ 

- ^ V 2 2 V 2"/2 ) 

/ 3n / 2 

< exp — T [^ 



n\ 



4 V 2"/2 
< 0.48" 

for large enough n, and we are done. D 

6.2 Explicit Hidden-Subspace Mini-Scheme 

In our explicit mini-scheme, the bank chooses a subspace A randomly and publishes sets of polyno- 
mials drawn from TZd,A,i3n,e and 'J^d,A-'-,i3n,ti along with the quantum money state \A). By Lemma [32| 
a user can use these polynomials to test membership in A and A , and can therefore implement 
the oracle mini-scheme in Section 15. li 



Formally, the mini-scheme £ is defined as follows. Parameters e G [0,1/2), (3 > ^ ^ , and 

d > A are fixed. The complexity of the verification procedure will grow like O (^f3n'^~^^) , but security 
might also improve for larger e and d. Then: 
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• Bank (0") selects an n/2-dimensional subspace A <F2 uniformly at random, say by selecting 
n/2 random linearly-independent generators. It then sets s := (sa,Sj^±), where sa and s^x 
are lists of polynomials drawn from TZd,A,i3n,e and Tld,A^,i3n,e respectively. It prepares the 
money state |^) and outputs the banknote \$s) '■= \s) \A). 

• Ver (j?() first checks that ^ has the form (s^,s^±,p) where sa = {pi, ■ ■ ■ ,Pi3n) and Sa-l = 
{qi, . . . , q^n) are lists of /3n polynomials over Fg . If not, it rejects. If so, then it defines Z 

and Z-*- to be the sets of points v ^ ¥2 such that X]f=i Pi (^) — ^/^'^ ^^^ Z]i=i Qi ('^) ^ ^/^'^ 
respectively. (Recall that with overwhelming probability, Z = A and .Z^ = A . Also, while 
Ver will not have explicit listings of the exponentially-large sets Z and Z-^, all that matters for 
us is that it can efficiently apply the projections ¥z and P^±.) It then applies the operation 
Vz := Hf'^Fz±Hf''^Fz to p, and accepts ^ if and only if Vz (p) accepts. 

6.3 Analysis 

We first observe that the mini-scheme £ has perfect completeness. 

Theorem 33. £ has perfect completeness. 

Proof. This follows from Lemmas [31] and [32l and particularly from the fact that A (1 Z and 
A^ C Z^ with certainty. From this it follows that Vz := Hf'^Fz^Hf'^Fz accepts the state \A) 
with probability 1. D 

Let us remark that, if we want the fraction e of "decoy" polynomials to be even greater than 
1/2, then we can define a variant of our scheme that works for all e < 1. In this variant scheme, 
Ver will guess that v G A (i.e., put v £ Z) if 

(1 + e) 0n 
Piiv) + --- +p/3n (v) < -^^^—, 

and will guess that v ^ A (i.e., put v ^ Z) otherwise. By direct analogy with Lemma [321 one can 
prove using a Chernoff bound that this rule will guarantee Pr [Z = ^] = 1 — 2~^'"\ and likewise 
Pr [Z-*- = ^-'-1 = 1 — 2"^'"-', provided we set /3 > -7. However, the disadvantage is that if 

e > 3, then we lose the property that A C Z and A C Z with probability 1, since e > -^. This 
means, in particular, that we lose perfect completeness, and can only ensure a completeness error 
of 2-^("). 

We now wish to argue about i5's soundness. Naturally, we can only hope to prove soundness 
assuming some computational hardness conjecture. What is nice, though, is that we can base 
iS's soundness on a conjecture that talks only about the hardness of a "classical" cryptographic 
problem (i.e., a problem with classical inputs and outputs). Let us now state that conjecture, 
which is simply the abstract Conjecture 1281 specialized to the setting of multivariate polynomials. 

Conjecture 34 (Direct Product for Finding Subspace Elements). Let e < 1/2 and /3 := ^ ■; . 

(1 — 2e) 

Given samples from TZd,A,/3n,€ o.'f^d T^d A^ Sn et ^^ polynomial-time quantum algorithm can find a 
complete list of generators for A with success probability Q (2~" ") . 

Note that it is easy to find one nonzero element of A with success probability 2""'^ , by choosing 
X G ¥2 randomly. Conjecture [M] asserts both that it is impossible to do too much better using 
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T^d,A,i3n,e and T^d,A-'-,i3n,e^ ^^^ ^^^^ finding multiple elements of A is significantly harder than finding 
one element. 

The security of mini-scheme £ follows easily from Conjecture 1341 despite the fact that a would- 
be counterfeiter has access to a valid quantum banknote, whereas Conjecture [Ml involves no such 
assumption. 



Theorem 35 (Security Reduction for Explicit Mini-Scheme). // Conjecture \34\ holds, then £ is 
secure. 

Proof. Let C^ be a counterfeiter against £. Then we need to show that, using Cs, we can find a 
complete list of generators for A with il (2^"'^) success probability. 

Given A < ¥2 with dim (^) = n/2, let s := {sa,Sj^±) where sa and s^± are samples from 
T^d,A,i3n,€ and TZ^a^ pnt respectively. Recall from Lemma [32] that Vx[A = Z] = 1 — 2~^(") and 
Pr \^A = Z ] = 1 — 2~^("). Provided both of these events occur, we can use s to decide member- 
ship in A, and can therefore apply the projective measurement P^. So let us prepare the uniform 
superposition over all 2" elements of Fg, and then apply P^ to it. With probability 2~"''^, this 
produces the state \A). 

Once we have s and |^), we can then form the banknote |$) := \s) \A), and provide this banknote 
to the counterfeiter Cs. By hypothesis, Cs outputs a (possibly-entangled) state p on two registers, 
such that {A\ p\A) > A for some A = fi (1/poly (n)). But now, because the mini-scheme £ 
is projective, Theorem 1151 applies, and we can amplify p to increase its fidelity with \A) . After 

( ^ log n) calls to Cs , this gives us a state a such that 

{Af^a\Af^>l-i,. 
n^ 

More generally, by alternating counterfeiting steps and amplification steps, we can produce as many 
registers as we like that each have large overlap with \A). In particular, we can produce a state ^ 
such that 

(^i®"ei>i)®">i-o(i)- 

If we now run Ver on each of the registers of ^, the probability that every invocation accepts is 

1 — 0(1). Furthermore, supposing that happens, the state we are left with is simply \A) . 

Finally, we measure each register of |A) in the standard basis. This gives us n elements 
xi,...,Xn G A, which are independent and uniformly random. So by standard estimates, the 
probability that xi,. . . ,Xn do not contain a complete generating set for A is 1/exp (n). 

Overall, the procedure above succeeded with probability 2~"/^ (1 — o (1)), thereby giving us the 
desired contradiction with Conjecture [3H D 

Using the standard construction of quantum money schemes, we can now produce a complete 
explicit money scheme, whose security follows from Conjecture [ 



Theorem 36 (Security Reduction for Explicit Scheme). Assuming Conjecture 34, there exists a 



public-key quantum money scheme with perfect completeness and soundness error 2 ^^"'' . 

Proof. We apply the standard construction of Theorem [16] with the mini-scheme £, whose com- 
pleteness and soundness follow from Theorems [33] and [35] respectively, assuming Conjecture [M] D 
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6.4 Justifying Our Hardness Assumption 

Though our hardness assumption is new, it is closely related to standard assumptions in multivariate 
polynomial cryptography. Given a system of multivariate quadratics over F2, finding a common 
zero is known to be NP-hard; moreover, it is strongly believed that the problem remains hard 
even for random systems of multivariate polynomials, and cryptosystems based on this hardness 
assumption are considered promising candidates for post-quantum cryptography [21j. Therefore, 
if Conjecture [Ml fails, it will almost certainly be because some additional structure in this problem 
facilitates a new attack. 

There are several ways in which Conjecture [M] is stronger than the assumption that solving 
random systems of multivariate polynomials is hard. First, our systems have large, well-structured 
solution spaces A and A-^. Systems with many solutions are not normally considered in the 
literature, and while there seem to be no known attacks that exploit this structure, the possibility 
is not ruled out. Second, we provide two related systems, one with zeroes in A and one with zeroes 
in A . Again, this is a very specific structural property which has not been considered, and there 
might be unexpected attacks exploiting it. Third, Conjecture [M] asserts that no adversary can 
succeed with probability 2"""'^, which seems significantly easier than succeeding with non-negligible 
probability. 

On the other hand, Conjecture [Ml is weaker than typical assumptions in multivariate polynomial 
cryptography in at least one respect: a would-be counterfeiter needs to solve a system of polynomial 
equations with a constant fraction of noise. Solving noisy systems of linear equations over F2 is 
called the learning parity with noise problem, and is generally believed to be hard even for quantum 
computers [38]. If true, this suggests that Gaussian elimination is fundamentally hard to adapt 
to the presence of noise. But computing a Grobner basis is a strict generalization of Gaussian 
elimination to higher degree, and involves a nearly identical process of elimination. It therefore 
seems unlikely that these approaches can be efficiently adapted to the setting with noise. The 
problem of solving polynomials with noise has been studied recently, and the best-known approaches 
involve performing an exponential time search to determine which equations are noisy [6]. 

But if solving linear systems with noise is already hard, why do we even use higher-degree 
polynomials in our scheme? The reason is that, alas, the "dual" structure of our money scheme 
facilitates a simple attack in the case d = 1. 

Claim 37. For all e < 1/2, there exists a (3 such that one can recover A efficiently given samples 
from lZd,A,pn,e andlZ^A^jin^^^ 

Proof. Let pi, . . . ,Pm and gi, . . . , g^ be homogeneous linear polynomials, of which a 1 — e fraction 
vanish on A and A respectively. Then the key observation is that each pi vanishes on A if and 
only if it has the form Pi{v) = Ui-v for some ui G A-^, while each qi vanishes on A-^ if and only if it 
has the form qi (v) = Wi-v for some Wi G A. But by Lemma [32l if /3 > ^ ^ , then for each i S [m], 

we can efficiently decide whether Ui G A by counting the number of j's for which qj (uj) = 0, and 
can likewise decide whether Wi £ A hy counting the number of j's for which pj (wi) = 0. Thus we 
can learn B (n) random elements of A or A , and thereby recover a basis for A. D 

There might be a more sophisticated attack for higher degrees, but this is suggested only weakly 
by the existence of an attack in the linear case. Indeed, the relation between the complementary 



^'■"This claim also goes through, with no essential changes, for the variant of our scheme discussed earlier with 
e £ [1/2, 1) (i.e., the variant without perfect completeness). 
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linear subspaces A and A-^ is precisely the sort of structure that should be preserved by linear 
maps, but not by higher-degree polynomials! 

For degree-2 polynomials, it is possible to obtain a similar attack which recovers A from only 
a single sample. This attack relies on the observation that quadratics have an easily-computed 
canonical form [TTj, from which a basis for A can be extracted in polynomial time. The essential 
problem is that quadratic polynomials are very closely related to bilinear forms, and that powerful 
methods from linear algebra can therefore be applied to them. 

Fortunately, the linear structure seems to be computationally obscured when d > 3. This 
phenomenon is related to the sharp discontinuity in the difficulty of tensor problems with order 
3 and higher. More concretely, the coefficients of a degree-d polynomial can be viewed as the 
entries of an order-d tensor, and the existence of an attack in the degree d = 2 case corresponds to 
the possibility of efficient operations on order-2 tensors. Basic operations on order-3 tensors are 
NP-hard |27J, however, and this suggests that analogous attacks might not exist against degree-3 
polynomials. 

This state of affairs is reflected in existing attacks on a standard cryptographic assumption 
called polynomial isomorphism with one secret. Here we are given two polynomials p, q which are 
related by an unknown linear change of coordinates L, and the task is to find such an L. For 
degree-2 polynomials, this problem can be easily solved in polynomial time |17] . but already for 
degree-3 polynomials the best known attacks take exponential time |37l [25t I17j . However, if an 
attacker is given n bits of partial information about the linear transformation, then even in the 
fi = 3 case, it becomes possible to find the linear transformation that relates the polynomials [17 1 . 
This does not directly facilitate an attack on our assumption, but it suggests that a similar attack 
might be possible when d = 3, since an attacker is only required to succeed with 2~"' ^ probability. 
Fortunately, this attack seems to rely on the particular structure of degree 2 and 3 polynomials. 
Of course it is possible that similar algorithms may be discovered for higher-degree polynomials, 
but this would represent an advance in algebraic cryptanalysis. 

7 Private-Key Quantum Money 

Recall that a private-key quantum money scheme is one where only the bank itself is able to 
verify banknotes, using an n-bit key k = ^private = ^public that it keeps a closely- guarded secret. 
Compensating for this disadvantage, private-key schemes are known with much stronger security 
guarantees than seem possible for public-key schemes. 

In particular, as mentioned in Section fl. 11 already forty years ago Wiesner |41j described how to 
create private-key quantum money that is information-theoretically secure. In Wiesner's scheme, 
each banknote consists of n unentangled qubits together with a classical serial number s. Wiesner's 
scheme also requires a giant database of serial numbers maintained by the bank, or in our setting, 
access to a random oracle R. But in followup work, BBBW [14] pointed out that we can replace 
R by any pseudorandom function family {/fe};,, to obtain a private-key quantum money scheme 
that is computationally secure, unless a polynomial-time algorithm can distinguish the /^'s from 
random functions. 

Strangely, we are unaware of any rigorous proof of the security of Wiesner's scheme until recently. 
However, answering a question by one of uso Molina, Vidick and Watrous [32] have now supplied 
the key ingredient for a security proof. Specifically they show that, if a counterfeiter tries to copy 



See |http://theoreticalphysics. stackexchange.com/questions/370/rigorous-security-proof-for-wiesners-quantum-money 
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an n-qubit banknote |$) in Wiesner's scheme, then the output can have squared fidehty at most 
(3/4)'^ with 1$) . (They also show that this is tight: there exists a non-obvious counterfeiting 
strategy that succeeds with (3/4)" probabihty.) 

To complete the security proof, one needs to show that, even given q banknotes |$i) , . . . , |$q), 
a counterfeiter cannot prepare an additional banknote with non-negligible probability (even with 
a new serial number). In a forthcoming paper {4], we will show how to adapt the methods of 
Section [3] to prove that claim. Briefly, one can first define a notion of private-key mini- schemes, 
in close analogy to public-key mini-schemes. The work of Molina et al. [32] then directly implies 
the security of what we call the "Wiesner mini-scheme." Next, one can give a general reduction, 
showing how to construct a full-blown private-key quantum money scheme S starting from 

(1) any private-key mini-scheme Ai, and 

(2) any random or pseudorandom function family R. 

Though the details turn out to be more complicated in the private-key case, the proof of 
correctness for this reduction is conceptually similar to the proof of Theorem [T6l Namely, one 
shows that any counterfeiter would yield either a break of the underlying mini-scheme Ai, or else 
a way to distinguish R from a random function. Notice that the analysis is completely unified: if 
-R is a "true" random oracle, then we get information-theoretic security (as in Wiesner's scheme), 
while if R is pseudorandom, then we get computational security (as in the BBBW scheme). 

Unfortunately, as pointed out by Lutomirski [29j and Aaronson \2\, the Wiesner and BBBW 
schemes both have a serious security hole. Namely, suppose a counterfeiter C can repeatedly 
submit alleged banknotes to a "nai've and trusting bank" for verification. Given a quantum state 
o", such a bank not only tells C whether the verification procedure accepted or rejected, but also, 
in either case, gives the post-measurement state a hack to C. Then starting from a single valid 
banknote |$), we claim that C can recover a complete classical description of |$), using O (nlogn) 
queries to the bank. Once it has such a description, C can of course prepare as many copies of |$) 
as it likes. 

The attack is simple: let |$) = \6i) ■ ■ ■ \9n) (we omit the classical serial number s, since it plays 
no role here). Then for each i G [n], the counterfeiter tries "swapping out" the i qubit \9i) 
and replacing it with \b), for each of the four possibilities |6) G {|0) , |1) , |-|-) , |— )}. It then uses 

(log n) queries to the bank, to estimate the probability that the state |^i) • • • |^j-i) \b) |^j+i) • • • \6n) 
passes the verification test. By doing so, C can learn a correct value of \6i) with success probability 

1 — (l/n). The crucial point is that none of these queries damage the qubits not being investigated 
{\9j) for j 7^ i), since the bank measures those qubits in the correct bases. Therefore C can reuse 
the same banknote for each query. 

More generally, recall from Section [3. II that we call a private- key quantum money scheme query- 
secure, if it remains secure even assuming the counterfeiter C can make adaptive queries to Ver (fe, •). 
Then we saw that the Wiesner and BBBW schemes are not query-secure. Recently, Farhi et al. [22] 
proved a much more general "no-go" theorem — which says intuitively that, if we want query-secure 
quantum money, then the banknotes must hide information in the "global correlations" between 
large numbers of qubits. 

Theorem 38 (Adaptive Attack on Wiesner-Like Schemes |22j). No quantum money scheme can 
be query-secure, if 
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(i) the banknotes have the form \%s) = \s) \ips) , 

(a) verification of (s,p) consists of projecting p onto \tps) ("^sl; '^^'^ 

(Hi) \'4)s) can he reconstructed uniquely from the statistics ofT = poly (n) efficiently-implementable 
measurements Mi, . . . , Mt, each of which has at most poly (n) possible outcomes. 

On the positive side, any public-key quantum money scheme — for example, our multivariate 
polynomial scheme from Section [6] — immediately yields a query-secure scheme with the same se- 
curity guarantee. This is because a counterfeiter who knows the code of Ver can easily simulate 
oracle access to Ver. But can we do any better than that, and construct a query-secure money 
scheme whose security is unconditional (as in Wiesner's scheme), or else based on a pseudorandom 
function (as in the BBBW scheme)? 

In the forthcoming paper [3], we will answer this question in the affirmative, by directly adapting 
the hidden subspace scheme from Section [5] (i.e., the scheme based on a classical oracle). Since 
the idea is an extremely simple one, let us sketch it here. 

Theorem 39 (Query-Secure Variant of Wiesner's Scheme). Relative to a random oracle iZo there 
exists a private-key quantum money scheme, with perfect completeness and 2~^'^> soundness error, 
that is information-theoretically query-secure. One can also replace the random oracle R by a 
pseudorandom function family {/fc}^, to obtain a private-key quantum money scheme, with no 
oracle, that is query-secure assuming that the fk 's cannot be distinguished from random in quantum 
polynomial time. 

Proof Sketch. For each key k and a serial number s, we will think of the random oracle R as 
encoding a classical description R (k, s) of a subspace A^^s < IFg , which is uniformly random subject 
to dim (Afc s) = n/2. Let |^fc,s) be a uniform superposition over A^ .,• Then the private-key money 
scheme S = (KeyGen, Bank, Ver) is defined as follows: 

• KeyGen (0") generates an n-bit key k uniformly at random. 

• Bank(fc) outputs a banknote \$s) '■= \s) |^fc,s)> for a random serial number s G {0, 1}". 

• Ver {k, {s,p)) applies a projective measurement that accepts p with probability {Ak^s\p\Ak,s)- 

Now, suppose it were possible to break S (i.e., to counterfeit \Ak^s)), using poly (n) adaptive 
queries to Ver (k, ■). Then we claim that it would also be possible to break our public-key scheme 
from Section \5\ and thereby contradict the unconditional security proof for the latter! The reason 
is simply that any query to Ver, of the form \/er{k, {s,p)), can easily be simulated using queries 
to Uaj. ^ and C/^x , the membership oracles for A^^s and A-^^ respectively that are available to a 

' k,s ' 

counterfeiter against the public-key scheme. 

Finally, suppose we replace R{k,s) by a pseudorandom function fk (s). Then just like with 
the original BBBW scheme [13], we can argue as follows. Since we already showed that S is 
information-theoretically secure when instantiated with a "true" random function, any break of S 
in the pseudorandom case would thereby distinguish the function fk from random. D 



Or alternatively, assuming the bank has access to a giant random number table, as in Wiesner's original setup 

ST]. 
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8 Open Problems 

The "obvious" problem is to better understand the security of our explicit scheme based on poly- 
nomials. Are there nontrivial attacks, for example using Grobner-basis algorithms? Can we base 
the security of our scheme — or a related scheme — on some cryptographic assumption that does not 
involve exponentially-small success probabilities? What happens as we change the field size or 
polynomial degree? Does "hiding" a subspace A < Fg in the way we suggest, as the set of common 
zeroes of multivariate polynomials pi, ■ ■ ■ ,Pm '■ ^2 ~^ ^2, have other cryptographic applications, for 
example to program obfuscation [TO]? 

Of course, there is also tremendous scope for inventing new schemes, which might be based on 
different assumptions and have different strengths and weaknesses. 

Let us move on to some general questions about public-key quantum money. First, is there an 
unconditionally-secure public-key quantum money scheme relative to a random oracle R? (Recall 
that Wiesner's original scheme pi] was unconditionally-secure and used only a random oracle, but 
was private-key. Meanwhile, our scheme from Section [5] is unconditionally-secure and public-key, 
but requires a non-random oracle.) Second, is there a public-key quantum money scheme where 
the banknotes consist of single, unentangled qubits, as in Wiesner's scheme? Note that the results 
of Farhi et al. [22] imply that, if such a scheme exists, then it cannot be projective. Third, is there 
a general way to amplify soundness error in quantum money schemes'io (We show how to amplify 
completeness error in Appendix [9l) 

8.1 Quantum Copy-Protection and More 

Quantum money is just one novel cryptographic use for the No-Cloning Theorem. Given essentially 
any object of cryptographic interest, one can ask whether quantum mechanics lets us make the 
object uncloneable. Section [L^ alreadv discussed one example — uncloneable signatures — but there 
are many others, such as commitments and proofso 

Along those lines, Aaronson [3] proposed a task that, if achievable, would arguably be an even 
more dramatic application of the No-Cloning Theorem than quantum money: namely, quantum 
software copy-protection. He gave explicit schemes — which have not yet been broken — for copy- 
protecting a restricted class of functions, namely the point functions. In these schemes, given a 
"password" s G {0, 1}", a software vendor can prepare a quantum state \ips), which allows its holder 
to recognize s: in other words, to decide whether x = s given x £ {0, 1}" as input. On the other 
hand, given |^s)) it seems intractable not only to find s for oneself, but even to prepare a second 
quantum state with which s can be recognized. 

Admittedly, recognizing passwords is an extremely restricted functionality. However, relative 
to a quantum oracle, Aaronson [3] also described a scheme to quantumly copy-protect arbitrary 
programs, just as well as if the software vendor were able to hand out uncloneable black boxes rl 
In the spirit of this paper, we can now ask: is there likewise a way to quantumly copy-protect 
arbitrary programs relative to a classical oracle? We conjecture that the answer is yes, and in 
fact we have plausible candidate constructions, which are directly related to the hidden-subspace 



■^■^ Theorem [15] gives some soundness amplification for projective scliemes: namely, from constant to l/poly(n). 
Here we are asking whether one can do anything better. 

^•^Even within complexity theory, it would be interesting to study the class QMA (Quantum Merlin- Arthur) subject 
to the constraint that witnesses must be hard to clone — or alternatively, that witnesses must be easy to clone! 
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As usual, full details have not yet appeared yet. 
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money scheme of Section [5j However, the security of those constructions seems to hinge on the 
following conjecture. 

Conjecture 40 (Direct Product for Finding Black-Box Subspace Elements). Let A be a uniformly- 
random subspace of ¥2 satisfying dim (yl) = n/2. Then given membership oracles for both A and 
A , any quantum algorithm needs 2^"'' queries to find two distinct nonzero elements x,y S A, 
with success probability Q (2""' ^) . 

Besides its applications for copy-protection, a proof of Conjecture HO] would be an important 
piece of formal evidence for Conjecture [3^ on which we based the security of our explicit money 
scheme. 

9 Appendix: Reducing Completeness Error 

When we defined quantum money schemes and mini-schemes in Section [3l we allowed the verifier 
to reject a legitimate money state with probability up to 1/3. But of course, a money scheme with 
completeness error e = 1/3 is not very useful in practice! So in this appendix, we prove that the 
completeness error e can be made exponentially small in n, at the cost of only a modest increase 
in the soundness error 5 (i.e., the probability of successful counterfeiting). 

Theorem 41 (Completeness Amplification for Mini-Schemes). Let Ai = (Bank, Ver) be a quantum 
money mini-scheme with completeness error e < 1/2 and soundness error 6 < 1 — 2e. Then for 
all polynomials p and all 6' > ^^^ > '^^ ^'^'^ construct an amplified mini-scheme Ai' = (Bank', Ver') 
with completeness error 1/2^^"^ and soundness error 6' . 

Proof. Let k = poly (n) and rj > he parameters to be determined later. Our construction of M' 
is the "obvious" one based on repetition: 



• 



Bank' (O") outputs a composite banknote $' := (si . . . s^, Psi ■ ■ ■ Ps^), where {si, ps^) , ■ ■ ■ , {s^, Ps^] 
are banknotes output independently by Bank(0"). 

• Ver' (j^) runs Ver {1^^) , . . . , Ver (j^^), where ^-^, . . . ,i^f, are the (s, ps) pairs in the alleged com- 
posite banknote ^, and accepts if and only if at least {1 — e — rj) k invocations accept. 

Note that Ver2, the amplified double verifier, then takes as input a state of the form 

(si ■■■Sk,cri-- ■crk,Cl ■■■Ck) , 

and accepts if and only if Ver' (si . . . s^, ui . . . cr^) and Ver' (si . . . Sk,Ci ■ ■ -Ck) both accept. By 
choosing k sufficiently large and applying a Chernoff bound, it is clear that we can make the 
completeness error 1/2^^"' for any polynomial p. 

Meanwhile, suppose M' has soundness error 6': in other words, there exists a counterfeiter C" 
such that Ver'2 (si . . . Sk,C' ($')) accepts with probability 5' , given a valid composite banknote $'. 
Then to prove the theorem, it suffices to construct a counterfeiter C for the original mini-scheme 
M, such that Ver2 (s, C ($)) accepts with probability 5 > (1 — 2e — rj) 5' , given a valid banknote 

$ = {S,ps). 

This C works as follows: 
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(1) By calling Bank' (0"), generate a new composite banknote $' 



PI, 



(2) Let $'jicw ^^ the result of starting with $', then swapping out $j for the banknote $ to be 
copied, for some i G [k] chosen uniformly at random. 

(3) Let (Si . . . Sk, Cri . . . CTfc, Ci • • • Cfc) := C ($new)- 

(4) Output {si,ai,^i). 

By assumption, 

Pr [Ver2 (si . . . Sk, cri ■ ■ ■ au, 6 • • • &) accepts] > 5' . 

Now, suppose Ver2 does accept. Then by the definition of Ver2, at least {1 — e — rj)k oi 

Ver(si,cri),... ,Ver(sfc,o-fc) 
must have accepted, along with at least (1 — e — r/) A; of 

Ver(si,^i),...,Ver(sfc,^fc). 

So there must be at least (1 — 2e — 2rj) k indices j £ [k] such that Ver {sj, aj) and Ver {sj,^j) both 
accepted. Therefore 

Pr [Ver2 (sj, ai, ^j) accepts] = Pr [Ver (sj, cjj) and Ver (sj, ^j) accept] 

> {1 - 2e - 2r]) 5' . 

Taking rj > sufficiently small now yields the theorem. D 

A direct counterpart of Theorem I^Tj with exactly the same parameters, can be proved for 
public-key quantum money schemes. Once again, the main idea is to consider "composite ban- 
knotes" $' = ($1, . . . , $fc) — and this time, to associate with each $j a different, independently-chosen 
public/private key pair. Another counterpart of Theorem UT] can be proved for digital signature 
schemes, indeed with slightly better parameters {6' > j:^ instead of 5' > j:^)- We omit the 
details. 

10 Appendix: Complexity-Theoretic No-Cloning Theorem 

In Section [5l we applied the inner-product adversary method to show that a uniform superposition 
1^4) over a random subspace A < ¥2 requires O (2"'^) quantum queries to duplicate, even if we 
are given access to an oracle that decides membership in both A and A . For completeness, in 
this appendix we present a simpler application of the inner-product adversary method: namely, we 
show that a Haar-random n-qubit state \tl^) requires (2"'^) queries to duplicate, if we are given 
access to an oracle U^ that accepts \ip) and that rejects every state orthogonal to \ip). The latter 
is the original result that Aaronson [3] called the "Complexity-Theoretic No-Cloning Theorem," 
though a proof has not appeared until now. 

In Section [5l we used the lower bound for copying subspace states to construct a quantum 
money mini-scheme that was provably secure relative to a classical oracle. In the same way, one 
can use the Complexity-Theoretic No-Cloning Theorem to construct a mini-scheme that is provably 
secure relative to a quantum oracle. We omit the details of that construction, not only because it 
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is superseded by the classical oracle construction in Section [5l but because the two constructions 
are essentially the same. The one real difference is that the quantum oracle construction benefits 
from a quadratically better lower bound on the number of queries needed to counterfeit: Q (2"/^) 
rather than n (2'"/^) . 

Choose an n-qubit pure state \ip) uniformly from the Haar measure, and fix \^) in what follows. 
Let U^ be a unitary transformation such that U^\^) = —\ip) and U^\r]) = \r]) for all \r]) orthogonal 
to \tp). The following is the direct analogue of Theorem! 



Theorem 42 (Complexity-Theoretic No-Cloning). Given one copy oflip), as well as oracle access 
to U^,, a counterfeiter needs Q. (2"''^) queries to prepare \ip) with certainty (for a worst-case \ip)). 

Proof. We will apply Theorem [20l Let the set O contain U^ for every possible n-qubit state |^). 
Then Su^ is just the 1-dimensional subspace corresponding to {ip). Also, put (U^, U^p) G i? if and 
only if KV'I'/^)! = c, for some < c < 1 to be specified later. Then for all U^ ^ O and I?;) G S^ , 
we have 



E 



\{vM' 



E 



\{vM' 
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\{rj\v)\' 
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2"-l 



I garbage^). 



So set e := ^ttti • If the counterfeiter succeeds, it must map \i\)) to some state |/^) := |^) 

and \lp) to |/(p) := |(/?) |(/?) [garbage ). Note that |(/^|/y,)| < (? ■ So setting d := c^, Theorem [201 

tells us that the counterfeiter must make 



O 



') 
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queries to U^. Fixing (say) c = 1/2, this is Q (2"/^). 



D 



Like Theorem \22\ Theorem [42] is easily seen to be tight, since one can use the amplitude 
amplification algorithm (Lemma[7I) to find \^p), and thereby prepare |V') i using O (2"'^) queries 
to U^. 

For completeness, we observe the following generalization of Theorem | 



Theorem 43. Given k copies of\ip), as well as oracle access toU^, a counterfeiter needs Q ( 2"'^ 



queries to prepare 



5fc+l 



with certainty (for a worst-case \ip)). 



Proof. If the counterfeiter succeeds, it must map 



v®fc 



and \ipf' to 1/^) 



\V) 



®fc+i 



to some state |/^) := 
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garbage^). 



Theorem [20] tells us that the counterfeiter must make 



garbage;^). Note that |(/^|/^)| < c^^^. So setting d := d 
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queries to U^. Fixing c := 1 
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- ^, the above is 
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We end this appendix by stating, without proof, three stronger lower bounds that are the direct 
analogues of Corollary [23l Corollary \2^ and Theorem [25] respectively. 

Corollary 44. Given one copy of\ip), as well as oracle access to U^, a counterfeiter needs Q (2"'^) 
queries to prepare a state p such that (■01 p\i^) > 0.9999 (for a worst-case \ip))- 

Corollary 45. Let 1/e = o(2"). Given one copy of \ip), as well as oracle access to U^, a 
counterfeiter needs i7 (-y/e2"'/^) queries to prepare a state p such that {ip\ p\ip) > e (for a 
worst-case |V')j- 

Theorem 46. Let \^) be an n-qubit pure state chosen uniformly from, the Haar measure. Given 
one copy of \ip), as well as oracle access to U^, a counterfeiter C needs il (-^2"'^) queries to 
prepare a 2n-qubit state p that a projector V? onto {ip) accepts with probability at least e, for 
all 1/e = o(2"). Here the probability is taken over the choice oflip), as well as the behavior of C 
andV^\ 
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